Fix heap node corruption (#428)

igrr · igrr · commit 001a129c3ae9 · 2015-09-28T11:59:34.000+03:00
diff --git a/cores/esp8266/WString.cpp b/cores/esp8266/WString.cpp
@@ -118,7 +118,7 @@ ICACHE_FLASH_ATTR String::String(double value, unsigned char decimalPlaces) {
 }
 
 ICACHE_FLASH_ATTR String::~String() {
-    os_free(buffer);
+    free(buffer);
 }
 
 // /*********************************************/
@@ -133,7 +133,7 @@ inline void String::init(void) {
 
 void ICACHE_FLASH_ATTR String::invalidate(void) {
     if(buffer)
-        os_free(buffer);
+        free(buffer);
     buffer = NULL;
     capacity = len = 0;
 }
@@ -150,12 +150,18 @@ unsigned char ICACHE_FLASH_ATTR String::reserve(unsigned int size) {
 }
 
 unsigned char ICACHE_FLASH_ATTR String::changeBuffer(unsigned int maxStrLen) {
-    char *newbuffer = (char *) os_realloc(buffer, maxStrLen + 1);
+    size_t newSize = (maxStrLen + 16) & (~0xf);
+    char *newbuffer = (char *) malloc(newSize);
     if(newbuffer) {
+        memset(newbuffer, 0, newSize);
+        memcpy(newbuffer, buffer, len);
+        if (buffer)
+            free(buffer);
+        capacity = newSize - 1;
         buffer = newbuffer;
-        capacity = maxStrLen;
         return 1;
     }
+    buffer = newbuffer;
     return 0;
 }
 
@@ -192,7 +198,7 @@ void ICACHE_FLASH_ATTR String::move(String &rhs) {
             rhs.len = 0;
             return;
         } else {
-            os_free(buffer);
+            free(buffer);
         }
     }
     buffer = rhs.buffer;
diff --git a/libraries/ESP8266WebServer/src/ESP8266WebServer.cpp b/libraries/ESP8266WebServer/src/ESP8266WebServer.cpp
@@ -130,10 +130,10 @@ void ESP8266WebServer::_prepareHeader(String& response, int code, const char* co
 
     sendHeader("Content-Type", content_type, true);
     if (_contentLength != CONTENT_LENGTH_UNKNOWN && _contentLength != CONTENT_LENGTH_NOT_SET) {
-        sendHeader("Content-Length", String(_contentLength).c_str());
+        sendHeader("Content-Length", String(_contentLength));
     }
     else if (contentLength > 0){
-        sendHeader("Content-Length", String(contentLength).c_str());
+        sendHeader("Content-Length", String(contentLength));
     }
     sendHeader("Connection", "close");
     sendHeader("Access-Control-Allow-Origin", "*");
diff --git a/tools/sdk/lib/liblwip.a b/tools/sdk/lib/liblwip.a

Original file line number	Diff line number	Diff line change
`@@ -118,7 +118,7 @@ ICACHE_FLASH_ATTR String::String(double value, unsigned char decimalPlaces) {`
`118`	`118`	`}`
`119`	`119`
`120`	`120`	`ICACHE_FLASH_ATTR String::~String() {`
`121`		`- os_free(buffer);`
	`121`	`+ free(buffer);`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`// /*********************************************/`
`@@ -133,7 +133,7 @@ inline void String::init(void) {`
`133`	`133`
`134`	`134`	`void ICACHE_FLASH_ATTR String::invalidate(void) {`
`135`	`135`	`if(buffer)`
`136`		`- os_free(buffer);`
	`136`	`+ free(buffer);`
`137`	`137`	`buffer = NULL;`
`138`	`138`	`capacity = len = 0;`
`139`	`139`	`}`
`@@ -150,12 +150,18 @@ unsigned char ICACHE_FLASH_ATTR String::reserve(unsigned int size) {`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`unsigned char ICACHE_FLASH_ATTR String::changeBuffer(unsigned int maxStrLen) {`
`153`		`- char newbuffer = (char ) os_realloc(buffer, maxStrLen + 1);`
	`153`	`+ size_t newSize = (maxStrLen + 16) & (~0xf);`
	`154`	`+ char newbuffer = (char ) malloc(newSize);`
`154`	`155`	`if(newbuffer) {`
	`156`	`+ memset(newbuffer, 0, newSize);`
	`157`	`+ memcpy(newbuffer, buffer, len);`
	`158`	`+ if (buffer)`
	`159`	`+ free(buffer);`
	`160`	`+ capacity = newSize - 1;`
`155`	`161`	`buffer = newbuffer;`
`156`		`- capacity = maxStrLen;`
`157`	`162`	`return 1;`
`158`	`163`	`}`
	`164`	`+ buffer = newbuffer;`
`159`	`165`	`return 0;`
`160`	`166`	`}`
`161`	`167`
`@@ -192,7 +198,7 @@ void ICACHE_FLASH_ATTR String::move(String &rhs) {`
`192`	`198`	`rhs.len = 0;`
`193`	`199`	`return;`
`194`	`200`	`} else {`
`195`		`- os_free(buffer);`
	`201`	`+ free(buffer);`
`196`	`202`	`}`
`197`	`203`	`}`
`198`	`204`	`buffer = rhs.buffer;`
Original file line number	Diff line number	Diff line change
`@@ -130,10 +130,10 @@ void ESP8266WebServer::_prepareHeader(String& response, int code, const char* co`
`130`	`130`
`131`	`131`	`sendHeader("Content-Type", content_type, true);`
`132`	`132`	`if (_contentLength != CONTENT_LENGTH_UNKNOWN && _contentLength != CONTENT_LENGTH_NOT_SET) {`
`133`		`- sendHeader("Content-Length", String(_contentLength).c_str());`
	`133`	`+ sendHeader("Content-Length", String(_contentLength));`
`134`	`134`	`}`
`135`	`135`	`else if (contentLength > 0){`
`136`		`- sendHeader("Content-Length", String(contentLength).c_str());`
	`136`	`+ sendHeader("Content-Length", String(contentLength));`
`137`	`137`	`}`
`138`	`138`	`sendHeader("Connection", "close");`
`139`	`139`	`sendHeader("Access-Control-Allow-Origin", "*");`