From b8b8d20f5b19b6a3982759a9b82b54a4ac277afd Mon Sep 17 00:00:00 2001 From: apio Date: Tue, 28 Mar 2023 18:37:12 +0200 Subject: [PATCH] Vector: Let realloc do its job and thus avoid a UAF (a particularly nasty one) Who even thought that copying from an old pointer passed to realloc() was a good idea? Me, apparently. Additionally, the entire point of this memcpy() was to copy the data over from the old buffer (which is already freed btw) to the new buffer, which is already done by realloc. That's the entire point of realloc. The data is copied over by realloc already. And even if the old pointer is not unmapped, we scrub freed memory with useless data, so the memcpy sets the vector's buffer to that useless data as well. I don't even know how I managed to introduce so many bugs into Vector. At least it should work properly now. --- libluna/include/luna/Vector.h | 4 ---- 1 file changed, 4 deletions(-) diff --git a/libluna/include/luna/Vector.h b/libluna/include/luna/Vector.h index 4a1ac128..4de73e11 100644 --- a/libluna/include/luna/Vector.h +++ b/libluna/include/luna/Vector.h @@ -178,10 +178,6 @@ template class Vector void* const ptr = TRY(realloc_impl(m_data, new_byte_capacity)); - if (new_capacity < m_capacity) memcpy(ptr, m_data, new_byte_capacity); - else - memcpy(ptr, m_data, byte_capacity()); - m_capacity = new_capacity; m_data = (T*)ptr; return {};