lib: talloc: Fix pool object accounting when doing talloc_realloc() in the ALWAYS_REALLOC compiled case.

tc_alloc_pool() or the fallback malloc can return NULL.

Wait until we know we are returning a valid pointer
before decrementing pool_hdr->object_count due to
reallocing out of the talloc_pool.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 5 insertions, 2 deletions

diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 54250c1b67d..885705234d4 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1901,8 +1901,6 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
 #if (ALWAYS_REALLOC != 0)
 	if (pool_hdr) {
 		new_ptr = tc_alloc_pool(tc, size + TC_HDR_SIZE, 0);
-		pool_hdr->object_count--;
-
 		if (new_ptr == NULL) {
 			new_ptr = malloc(TC_HDR_SIZE+size);
 			malloced = true;
@@ -1912,6 +1910,11 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
 		if (new_ptr) {
 			memcpy(new_ptr, tc, MIN(tc->size,size) + TC_HDR_SIZE);
 			TC_INVALIDATE_FULL_CHUNK(tc);
+			/*
+			 * Only decrement the object count in the pool once
+			 * we know we're returning a valid new_ptr.
+			 */
+			pool_hdr->object_count--;
 		}
 	} else {
 		/* We're doing malloc then free here, so record the difference. */