From 573282442758c19f7a6f9ee19bc890d4d5d4be02 Mon Sep 17 00:00:00 2001 From: Joshua Haberman Date: Mon, 3 Oct 2022 06:38:23 -0700 Subject: [PATCH] Fixed a memory corruption bug for 32-bit builds On a 32-bit build, sizeof(upb_Array) was not aligned to 8, and so we were allocating a block of memory that was too small. Our 32-bit GitHub tests did not catch this, probably because the 32-bit build is not running ASAN. The bug manifested in the 32-bit PHP build. PiperOrigin-RevId: 478488507 --- upb/internal/array.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/upb/internal/array.h b/upb/internal/array.h index c3f96001bd..ef4fb1a7cb 100644 --- a/upb/internal/array.h +++ b/upb/internal/array.h @@ -69,8 +69,8 @@ UPB_INLINE uintptr_t _upb_tag_arrptr(void* ptr, int elem_size_lg2) { UPB_INLINE upb_Array* _upb_Array_New(upb_Arena* a, size_t init_capacity, int elem_size_lg2) { - const size_t arr_size = UPB_ALIGN_UP(sizeof(upb_Array), 8); - const size_t bytes = sizeof(upb_Array) + (init_capacity << elem_size_lg2); + const size_t arr_size = UPB_ALIGN_UP(sizeof(upb_Array), UPB_MALLOC_ALIGN); + const size_t bytes = arr_size + (init_capacity << elem_size_lg2); upb_Array* arr = (upb_Array*)upb_Arena_Malloc(a, bytes); if (!arr) return NULL; arr->data = _upb_tag_arrptr(UPB_PTR_AT(arr, arr_size, void), elem_size_lg2);