https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106539
Bug ID: 106539
Summary: -fanalyzer doesn't consider that realloc could shrink
the buffer
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
realloc's success_with_move::update_model uses the new size of the buffer when
copying the contents of the old buffer, rather the minimum of the old and new
sizes - I hadn't thought of the "shrinks the buffer" case.
Consider:
#include <stdlib.h>
void *test (void)
{
void **p = (void **)malloc (sizeof (void *) * 2);
if (!p)
return NULL;
p[0] = malloc(10);
p[1] = malloc(20); /* will be leaked if p is shrunk (e.g. during a move) */
void *q = realloc (p, sizeof (void *));
if (!q)
return p;
return q;
}
-fanalyzer probably ought to complain about a leak of p[1] after p is shrunk,
but doesn't at the moment.
