test: add tests for zero sized realloc(3)

cgzones · cgzones · commit 9ca327950742 · 2025-04-05T16:55:41.000+02:00
C23 declared calling realloc(3) with a non-NULL pointer and zero size
Undefined behavior.
Check that hardened_malloc handles that case sanely by free'ing the old
pointer and returning a special pointer, like `malloc(3)` called with
size zero.
diff --git a/test/.gitignore b/test/.gitignore
@@ -41,4 +41,7 @@ overflow_small_8_byte
 uninitialized_read_large
 uninitialized_read_small
 realloc_init
+realloc_c23_undefined_behaviour
+realloc_c23_undefined_behaviour_double_free
+realloc_c23_undefined_behaviour_use_after_free
 __pycache__/
diff --git a/test/Makefile b/test/Makefile
@@ -67,7 +67,10 @@ EXECUTABLES := \
     invalid_malloc_object_size_small \
     invalid_malloc_object_size_small_quarantine \
     impossibly_large_malloc \
-    realloc_init
+    realloc_init \
+    realloc_c23_undefined_behaviour \
+    realloc_c23_undefined_behaviour_double_free \
+    realloc_c23_undefined_behaviour_use_after_free
 
 all: $(EXECUTABLES)
 
diff --git a/test/realloc_c23_undefined_behaviour.c b/test/realloc_c23_undefined_behaviour.c
@@ -0,0 +1,19 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p, *q, *r;
+
+    p = malloc(16);
+    if (!p) {
+        return 1;
+    }
+
+    q = realloc(p, 0);
+
+    free(q);
+
+    return 0;
+}
diff --git a/test/realloc_c23_undefined_behaviour_double_free.c b/test/realloc_c23_undefined_behaviour_double_free.c
@@ -0,0 +1,19 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p, *q, *r;
+
+    p = malloc(16);
+    if (!p) {
+        return 1;
+    }
+
+    q = realloc(p, 0);
+
+    free(p);
+
+    return 0;
+}
diff --git a/test/realloc_c23_undefined_behaviour_use_after_free.c b/test/realloc_c23_undefined_behaviour_use_after_free.c
@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p, *q, *r;
+
+    p = malloc(256 * 1024);
+    if (!p) {
+        return 1;
+    }
+
+    q = realloc(p, 0);
+
+    printf("%c\n", *p);
+
+    free(q);
+
+    return 0;
+}
diff --git a/test/test_smc.py b/test/test_smc.py
@@ -169,6 +169,20 @@ def test_uninitialized_realloc(self):
         self.assertEqual(stderr.decode("utf-8"),
                          "fatal allocator error: invalid realloc\n")
 
+    def test_realloc_c23_undefined_behaviour(self):
+        _stdout, stderr, returncode = self.run_test("realloc_c23_undefined_behaviour")
+        self.assertEqual(returncode, 0)
+
+    def test_realloc_c23_undefined_behaviour_double_free(self):
+        _stdout, stderr, returncode = self.run_test("realloc_c23_undefined_behaviour_double_free")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: double free (quarantine)\n")
+
+    def test_realloc_c23_undefined_behaviour_use_after_free(self):
+        _stdout, stderr, returncode = self.run_test("realloc_c23_undefined_behaviour_use_after_free")
+        self.assertEqual(returncode, -11)
+
     def test_write_after_free_large_reuse(self):
         _stdout, _stderr, returncode = self.run_test(
             "write_after_free_large_reuse")
