From b8e1188102f35fcd75d76f5c2ff707269787d95c Mon Sep 17 00:00:00 2001 From: cha0smaster Date: Sat, 2 Jul 2005 13:58:02 +0000 Subject: [PATCH] Fix memory managament error in ntfs_inode_close. ntfs_extent_inode_open allocates buffer for up to 4 extent inodes, to prevent many reallocates. But ntfs_inode_close always reallocate buffer to store exactly @nr_extents inodes. Bug will arise in following scenario: 1) ntfs_extent_inode_open (1 extent, allocate buffer for 4) 2) ntfs_extent_inode_open (2 extents, use already allocated buffer) 3) ntfs_inode_close(extent_ni) (1 extent, reallocate buffer for 1 extent) 4) ntfs_extent_inode_open (2 extents, don't reallocate buffer because it should be for 4 elements, but really it's for 1, write to unitialized space, segfault) --- ChangeLog | 4 ++++ libntfs/inode.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f96d5546..e085112c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +xx/xx/xxxx - 1.10.1-WIP + + - Fix memory managament error in ntfs_inode_close. (Yura) + 20/06/2005 - 1.10.0 - Lots of new features, enhancements, and bug fixes. - Add start_vcn parameter to ntfs_get_size_for_mapping_pairs() and diff --git a/libntfs/inode.c b/libntfs/inode.c index cbab29fe..cc0ead1b 100644 --- a/libntfs/inode.c +++ b/libntfs/inode.c @@ -255,7 +255,8 @@ int ntfs_inode_close(ntfs_inode *ni) */ if (--base_ni->nr_extents) { /* Resize the memory buffer. */ - tmp_nis = realloc(tmp_nis, base_ni->nr_extents * + tmp_nis = realloc(tmp_nis, ((base_ni-> + nr_extents + 3) & ~3) * sizeof(ntfs_inode *)); /* Ignore errors, they don't really matter. */ if (tmp_nis)