[scudo] Untag BlockEnd in reallocateandroid-12.1.0_r9android-12.1.0_r8android-12.1.0_r7android-12.1.0_r22android-12.1.0_r21android-12.1.0_r20android-12.1.0_r19android-12.1.0_r11android-12.1.0_r10android12L-devandroid12-qpr3-s7-releaseandroid12-qpr3-s6-releaseandroid12-qpr3-s5-releaseandroid12-qpr3-s4-releaseandroid12-qpr3-s3-releaseandroid12-qpr3-s2-releaseandroid12-qpr3-s1-releaseandroid12-qpr3-release

If we get here from reallocate, BlockEnd is tagged. Then we
will storeTag(UntaggedEnd) into the header of the next chunk.

Luckily header tag is 0 so unpatched code still works.

Reviewed By: pcc

Differential Revision: https://reviews.llvm.org/D105261

Bug: 206701345
Test: CtsBionicTestCases
GitOrigin-RevId: fe30963600ea579d4046c9a92c6e38cc2be0e9a2
Merged-In: Idfbf127080f09a2a111741f60efa5422414c2009
Change-Id: Idfbf127080f09a2a111741f60efa5422414c2009
(cherry picked from commit 5df4673efd351b357998c1007b5a2360ab3b67e0)

1 files changed, 2 insertions, 1 deletions

diff --git a/standalone/combined.h b/standalone/combined.h
index 8080d677d7b..5eac56dc933 100644
--- a/standalone/combined.h
+++ b/standalone/combined.h
@@ -643,7 +643,7 @@ public:
           if (ClassId) {
             resizeTaggedChunk(reinterpret_cast<uptr>(OldTaggedPtr) + OldSize,
                               reinterpret_cast<uptr>(OldTaggedPtr) + NewSize,
-                              NewSize, BlockEnd);
+                              NewSize, untagPointer(BlockEnd));
             storePrimaryAllocationStackMaybe(Options, OldPtr);
           } else {
             storeSecondaryAllocationStackMaybe(Options, OldPtr, NewSize);
@@ -1156,6 +1156,7 @@ private:
   // address tags against chunks. To allow matching in this case we store the
   // address tag in the first byte of the chunk.
   void storeEndMarker(uptr End, uptr Size, uptr BlockEnd) {
+    DCHECK_EQ(BlockEnd, untagPointer(BlockEnd));
     uptr UntaggedEnd = untagPointer(End);
     if (UntaggedEnd != BlockEnd) {
       storeTag(UntaggedEnd);