From 2457d6f5951e169749a2d941ea0ddc36e51fef99 Mon Sep 17 00:00:00 2001 From: Felipe Magno de Almeida Date: Thu, 26 May 2016 13:04:20 -0300 Subject: [PATCH] eina: Fix crashing when accessing past-the-end of the malloc'ed promise The promise race composition was calculating its size wrongly, making the promise's size smaller than it should, causing heap corruption. --- src/lib/eina/eina_promise.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/eina/eina_promise.c b/src/lib/eina/eina_promise.c index 6f83172e10..824a7df8f1 100644 --- a/src/lib/eina/eina_promise.c +++ b/src/lib/eina/eina_promise.c @@ -772,7 +772,7 @@ eina_promise_race(Eina_Iterator* it) num_promises = eina_array_count_get(promises); promise = (_Eina_Promise_Default_Owner*) eina_promise_default_add(sizeof(_Eina_Promise_Race_Value_Type) + - sizeof(struct _Eina_Promise_Race_Information*)*num_promises); + sizeof(struct _Eina_Promise_Race_Information)*num_promises); value = eina_promise_owner_buffer_get((Eina_Promise_Owner*)promise); value->value = NULL; value->promise_index = -1;