zstdtest has some inline data where some testcases lack the uncompressed length field. Thus it computes that but still ends up allocating memory for the uncompressed buffer based on that (zero) length. Oops. Causes memory corruption if the allocator returns non-NULL.
Tested on x86_64-unknown-linux-gnu, pushed as obvious. libbacktrace/ * zstdtest.c (test_samples): Properly compute the allocation size for the uncompressed data. --- libbacktrace/zstdtest.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libbacktrace/zstdtest.c b/libbacktrace/zstdtest.c index 1b4158a50eb..1a27d90e29e 100644 --- a/libbacktrace/zstdtest.c +++ b/libbacktrace/zstdtest.c @@ -197,7 +197,11 @@ test_samples (struct backtrace_state *state) unsigned char *uncompressed; size_t uncompressed_len; - uncompressed = (unsigned char *) malloc (tests[i].uncompressed_len); + uncompressed_len = tests[i].uncompressed_len; + if (uncompressed_len == 0) + uncompressed_len = strlen (tests[i].uncompressed); + + uncompressed = (unsigned char *) malloc (uncompressed_len); if (uncompressed == NULL) { perror ("malloc"); @@ -206,10 +210,6 @@ test_samples (struct backtrace_state *state) continue; } - uncompressed_len = tests[i].uncompressed_len; - if (uncompressed_len == 0) - uncompressed_len = strlen (tests[i].uncompressed); - if (!backtrace_uncompress_zstd (state, ((const unsigned char *) tests[i].compressed), -- 2.35.3