8263558: Possible NULL dereference in fast path arena free if ZapReso…

…urceArea is true Backport-of: d2c137d408b9c44f8f8d71e62dfea24a4279300e
openjdk · Apr 6, 2021 · 426cb6ad2aba959c89bc9f1aed12da4c107ff21d · 426cb6a · openjdk-notifier · Apr 6, 2021
1 parent 27c8449
commit 426cb6ad2aba959c89bc9f1aed12da4c107ff21d
Showing with 11 additions and 1 deletion.

+8 −1 src/hotspot/share/memory/arena.cpp

+3 −0 src/hotspot/share/memory/arena.hpp
diff --git a/src/hotspot/share/memory/arena.cpp b/src/hotspot/share/memory/arena.cpp
@@ -373,7 +373,14 @@ void* Arena::grow(size_t x, AllocFailType alloc_failmode) {
 
 // Reallocate storage in Arena.
 void *Arena::Arealloc(void* old_ptr, size_t old_size, size_t new_size, AllocFailType alloc_failmode) {
-  if (new_size == 0) return NULL;
+  if (new_size == 0) {
+    Afree(old_ptr, old_size); // like realloc(3)
+    return NULL;
+  }
+  if (old_ptr == NULL) {
+    assert(old_size == 0, "sanity");
+    return Amalloc(new_size, alloc_failmode); // as with realloc(3), a NULL old ptr is equivalent to malloc(3)
+  }
 #ifdef ASSERT
   if (UseMallocOnly) {
     // always allocate a new object  (otherwise we'll free this one twice)

diff --git a/src/hotspot/share/memory/arena.hpp b/src/hotspot/share/memory/arena.hpp
@@ -186,6 +186,9 @@ class Arena : public CHeapObj<mtNone> {
 
   // Fast delete in area.  Common case is: NOP (except for storage reclaimed)
   bool Afree(void *ptr, size_t size) {
+    if (ptr == NULL) {
+      return true; // as with free(3), freeing NULL is a noop.
+    }
 #ifdef ASSERT
     if (ZapResourceArea) memset(ptr, badResourceValue, size); // zap freed memory
     if (UseMallocOnly) return true;