https://github.com/espressif/esp-idf/co ... d703c13e59
Will be backported to release/v3.0 shortly.
I'm not really aware of a non serious type of memory corruption bug...caseymdk wrote:Phew...that seems like a major buffer overrun bug! Was that a serious one or am I misreading/misunderstanding?
The thing here is, usually in realloc if you're shrinking the buffer it shrinks in place. Therefore if you find yourself allocating a new buffer and copying to it then you know it's because old_size is the smaller size. This was probably always true when this code was originally written.
Since then there have been added two situations (mentioned in the commit message) when this may not be true:
Comprehensive heap checking mode (we don't shrink buffers in place in this mode, to keep the poisoning code manageable).
The feature that you can use heap_caps_realloc() to take a buffer that was in one kind of memory and move it into a different kind of memory, possibly resizing at the same time.
In these cases, a memcpy could happen to the new buffer where size < old_size.
We should have caught this in feature development or testing, but we didn't. Thanks to everyone who persisted in testing and ruling out other sources of corruption.