talloc: Fix write behind memory block

If ALWASY_REALLOC is defined and we are to 'shrink' memory block,
memcpy() will write outside memory just allocated.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
(cherry picked from commit 8efabcc8a5dcd83deed8ef8e17826a1d347e6d83)

diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 7beda4b0f587b69c0f549eb76d2935f1d4413d55..f7b1ac3dbd782d58ac86baff174e19b30eef912d 100644 (file)
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1184,7 +1184,7 @@ void *_talloc_realloc(const void *context, void *ptr, size_t size, const char *n
 #if ALWAYS_REALLOC
        new_ptr = malloc(size + TC_HDR_SIZE);
        if (new_ptr) {
-               memcpy(new_ptr, tc, tc->size + TC_HDR_SIZE);
+               memcpy(new_ptr, tc, MIN(tc->size, size) + TC_HDR_SIZE);
                free(tc);
        }
 #else