From 79c7ae586df252978ca64862818a7265e2f947af Mon Sep 17 00:00:00 2001
From: Eric Andersen <andersen@codepoet.org>
Date: Fri, 24 Jan 2003 11:18:29 +0000
Subject: Doh!  Fix potential stack corruption caused by dynamic atexit
 allocating size incorrectly....  -Erik

---
 libc/stdlib/atexit.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libc/stdlib/atexit.c b/libc/stdlib/atexit.c
index e82f53fe3..8b04e8a04 100644
--- a/libc/stdlib/atexit.c
+++ b/libc/stdlib/atexit.c
@@ -96,12 +96,14 @@ int atexit(aefuncp func)
 #ifdef __UCLIBC_DYNAMIC_ATEXIT__
 	/* If we are out of function table slots, make some more */
 	if (__exit_slots < __exit_count+1) {
-	    __exit_function_table=realloc(__exit_function_table, __exit_slots+20);
+	    __exit_function_table=realloc(__exit_function_table, 
+		    (__exit_slots+20)*sizeof(struct exit_function));
 	    if (__exit_function_table==NULL) {
 		UNLOCK;
 		__set_errno(ENOMEM);
 		return -1;
 	    }
+	    __exit_slots+=20;
 	}
 #else
 	if (__exit_count >= __UCLIBC_MAX_ATEXIT) {
@@ -136,12 +138,14 @@ int on_exit(oefuncp func, void *arg)
 #ifdef __UCLIBC_DYNAMIC_ATEXIT__
 	/* If we are out of function table slots, make some more */
 	if (__exit_slots < __exit_count+1) {
-	    __exit_function_table=realloc(__exit_function_table, __exit_slots+20);
+	    __exit_function_table=realloc(__exit_function_table, 
+		    (__exit_slots+20)*sizeof(struct exit_function));
 	    if (__exit_function_table==NULL) {
 		UNLOCK;
 		__set_errno(ENOMEM);
 		return -1;
 	    }
+	    __exit_slots+=20;
 	}
 #else
 	if (__exit_count >= __UCLIBC_MAX_ATEXIT) {
-- 
cgit v1.2.3