From 4fcc056178657591154d74c7140119703f563514 Mon Sep 17 00:00:00 2001
From: YAMAMOTO Takashi <yamamoto@midokura.com>
Date: Fri, 9 Jun 2023 22:36:00 +0900
Subject: [PATCH] Fix a heap corruption bug in ems realloc (#2279)

---
 core/shared/mem-alloc/ems/ems_alloc.c |  1 +
 samples/mem_allocator/CMakeLists.txt  | 22 ++++++++++
 samples/mem_allocator/main.c          | 58 +++++++++++++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 samples/mem_allocator/CMakeLists.txt
 create mode 100644 samples/mem_allocator/main.c

diff --git a/core/shared/mem-alloc/ems/ems_alloc.c b/core/shared/mem-alloc/ems/ems_alloc.c
index 5c2a628a2..a29539dd5 100644
--- a/core/shared/mem-alloc/ems/ems_alloc.c
+++ b/core/shared/mem-alloc/ems/ems_alloc.c
@@ -564,6 +564,7 @@ gc_realloc_vo_internal(void *vheap, void *ptr, gc_size_t size, const char *file,
                         os_mutex_unlock(&heap->lock);
                         return NULL;
                     }
+                    hmu_mark_pinuse(hmu_next);
                 }
                 os_mutex_unlock(&heap->lock);
                 return obj_old;
diff --git a/samples/mem_allocator/CMakeLists.txt b/samples/mem_allocator/CMakeLists.txt
new file mode 100644
index 000000000..f157dfbde
--- /dev/null
+++ b/samples/mem_allocator/CMakeLists.txt
@@ -0,0 +1,22 @@
+# Copyright (C) 2023 Midokura Japan KK.  All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+cmake_minimum_required(VERSION 3.0)
+project(mem_allocator_create)
+
+string (TOLOWER ${CMAKE_HOST_SYSTEM_NAME} WAMR_BUILD_PLATFORM)
+if(APPLE)
+  add_definitions(-DBH_PLATFORM_DARWIN)
+endif()
+
+set(WAMR_BUILD_INTERP 1)
+set(WAMR_BUILD_LIBC_BUILTIN 0)
+
+set(WAMR_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../..)
+include(${WAMR_ROOT_DIR}/build-scripts/runtime_lib.cmake)
+
+add_library(vmlib ${WAMR_RUNTIME_LIB_SOURCE})
+
+add_executable(mem_alloc_test main.c)
+
+target_link_libraries(mem_alloc_test vmlib -lm -lpthread)
diff --git a/samples/mem_allocator/main.c b/samples/mem_allocator/main.c
new file mode 100644
index 000000000..a309d2e62
--- /dev/null
+++ b/samples/mem_allocator/main.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2023 Midokura Japan KK.  All rights reserved.
+ * SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "mem_alloc.h"
+
+char store[1000];
+
+int
+main(int argc, char **argv)
+{
+    mem_allocator_t a = mem_allocator_create(store, sizeof(store));
+    uint8_t *p;
+    uint8_t *p2;
+
+    p = mem_allocator_malloc(a, 256);
+    printf("%p\n", p);
+    if (p == NULL) {
+        exit(1);
+    }
+    p = mem_allocator_realloc(a, p, 256 + 12);
+    printf("%p\n", p);
+    if (p == NULL) {
+        exit(1);
+    }
+
+    /*
+     * write some values to confuse the ems allocator.
+     *
+     * hmu = p + 256
+     * hmu_set_ut(hmu, HMU_FC)
+     * hmu_set_size(hmu, 256)
+     * hmu_set_free_size(hmu)
+     */
+    *(uint32_t *)(p + 256) = (1 << 30) | 0x20;
+    *(uint32_t *)(p + 256 + 12 - 4) = 12;
+
+    p2 = mem_allocator_malloc(a, 256);
+    printf("%p\n", p2);
+    if (p2 == NULL) {
+        exit(1);
+    }
+    mem_allocator_free(a, p2);
+
+    p2 = mem_allocator_malloc(a, 256);
+    printf("%p\n", p2);
+    if (p2 == NULL) {
+        exit(1);
+    }
+    mem_allocator_free(a, p2);
+
+    mem_allocator_free(a, p);
+}