Fix crash when ArrayList runs out of memory (#1235)
The allocation size was still updated to the bigger size even if memory allocation failed. Trying to write to the supposedly available new space would overflow the heap and crash. Fixes #1233
This commit is contained in:
		
							parent
							
								
									adcc0efda6
								
							
						
					
					
						commit
						5597fc56d3
					
				| @ -35,6 +35,7 @@ | |||||||
| #include <stdlib.h> | #include <stdlib.h> | ||||||
| #include <string.h> | #include <string.h> | ||||||
| #include <ICellArray.h> | #include <ICellArray.h> | ||||||
|  | #include <amtl/am-bits.h> | ||||||
| 
 | 
 | ||||||
| extern HandleType_t htCellArray; | extern HandleType_t htCellArray; | ||||||
| 
 | 
 | ||||||
| @ -214,30 +215,34 @@ private: | |||||||
| 		{ | 		{ | ||||||
| 			return true; | 			return true; | ||||||
| 		} | 		} | ||||||
|  | 		size_t newAllocSize = m_AllocSize; | ||||||
| 		/* Set a base allocation size of 8 items */ | 		/* Set a base allocation size of 8 items */ | ||||||
| 		if (!m_AllocSize) | 		if (!newAllocSize) | ||||||
| 		{ | 		{ | ||||||
| 			m_AllocSize = 8; | 			newAllocSize = 8; | ||||||
|  | 		} | ||||||
|  | 		if (!ke::IsUintPtrAddSafe(m_Size, count)) | ||||||
|  | 		{ | ||||||
|  | 			return false; | ||||||
| 		} | 		} | ||||||
| 		/* If it's not enough, keep doubling */ | 		/* If it's not enough, keep doubling */ | ||||||
| 		while (m_Size + count > m_AllocSize) | 		while (m_Size + count > newAllocSize) | ||||||
| 		{ | 		{ | ||||||
| 			m_AllocSize *= 2; | 			if (!ke::IsUintPtrMultiplySafe(newAllocSize, 2)) | ||||||
| 		} |  | ||||||
| 		/* finally, allocate the new block */ |  | ||||||
| 		if (m_Data) |  | ||||||
| 		{ |  | ||||||
| 			cell_t *data = static_cast<cell_t*>(realloc(m_Data, sizeof(cell_t) * m_BlockSize * m_AllocSize)); |  | ||||||
| 			if (!data)  // allocation failure
 |  | ||||||
| 			{ | 			{ | ||||||
| 				return false; | 				return false; | ||||||
| 			} | 			} | ||||||
| 
 | 			newAllocSize *= 2; | ||||||
| 			m_Data = data; |  | ||||||
| 		} else { |  | ||||||
| 			m_Data = static_cast<cell_t*>(malloc(sizeof(cell_t) * m_BlockSize * m_AllocSize)); |  | ||||||
| 		} | 		} | ||||||
| 		return (m_Data != nullptr); | 		/* finally, allocate the new block */ | ||||||
|  | 		cell_t *data = static_cast<cell_t*>(realloc(m_Data, sizeof(cell_t) * m_BlockSize * newAllocSize)); | ||||||
|  | 		/* Update state if allocation was successful */ | ||||||
|  | 		if (data) | ||||||
|  | 		{ | ||||||
|  | 			m_AllocSize = newAllocSize; | ||||||
|  | 			m_Data = data; | ||||||
|  | 		} | ||||||
|  | 		return (data != nullptr); | ||||||
| 	} | 	} | ||||||
| private: | private: | ||||||
| 	cell_t *m_Data; | 	cell_t *m_Data; | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user