realloc() kills source pointer when fails

[d-a-v]

On master, this sketch below would be correct if free() was not commented.
But the fact is that free() must be commented for it to work flawlessly endlessly looping at every ~34KB,
with otherwise a nice Fatal exception 3(LoadStoreErrorCause) crash in umm's check_poison().
This seems to be a bug in umm.
Discovered while trying to debug #3699 in with a too large file uploaded to ESP8266WebServer.

Can someone reproduce and confirm ?

void setup()
{
  Serial.begin(115200);
  Serial.setDebugOutput(true);
}

#define INC 100
size_t len = 0;
char* buf = NULL;

void loop()
{
  if (!buf)
  {
    os_printf(":1\n");
    buf = (char*)malloc(INC);
    if (buf)
      len = INC;
    else
      os_printf(":1null\n");
  }
  else
  {
    os_printf(":re %d -> %d\n", len, len + INC);
    char* newbuf = (char*)realloc(buf, len + INC);
    if (!newbuf)
    {
      os_printf(":re null\n");
      //free(buf);   <--- BUF IS NO MORE ALLOCATED WHERE IT SHOULD BE
      len = 0;
      buf = NULL;
    }
    else
    {
      len += INC;
      buf = newbuf;
    }
  }
}

[d-a-v]

possibly related: bug in umm realloc()

[d-a-v]

Sadly, same bug is triggered with upstream umm_malloc.
I'm afraid this may be the reason of at least lots of HTTP bugs here.
We can't really temporarily replace realloc with malloc/memcpy/free.
@igrr what was beeing used before umm_malloc ?
We could revert until umm_malloc is fixed.

[d-a-v]

Then at least WString.cpp must be reviewed #3555 #3516