From f5ee767c469ce467dc277d259029b02b3894dfa8 Mon Sep 17 00:00:00 2001
From: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
Date: Mon, 31 Oct 2022 21:11:26 +0800
Subject: [PATCH] mm/mempool: fix crash about mempool_multiple_realloc

kasan_report (addr=0xf3c68618, size=1, is_write=false) at
kasan/kasan.c:106
0x56585fbf in __asan_loadN_noabort (addr=0xf3c68618, size=1) at
kasan/kasan.c:300
0x565860ac in __asan_load1_noabort (addr=0xf3c68618) at
kasan/kasan.c:354
0x565843af in memcpy (dest=0xf3de9d6c, src=0xf3c685cc, n=3) at
string/lib_memcpy.c:44
0x56587ae8 in mempool_multiple_realloc (mpool=0xf3c670fc,
oldblk=0xf3c685cc, size=416) at mempool/mempool_multiple.c:218
0x5658707a in mm_realloc (heap=0xf3c67000, oldmem=0xf3c685cc,
size=416) at mm_heap/mm_realloc.c:98
0x5658524e in realloc (oldmem=0xf3c685cc, size=416) at
umm_heap/umm_realloc.c:97

Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
---
 mm/mempool/mempool_multiple.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/mempool/mempool_multiple.c b/mm/mempool/mempool_multiple.c
index 34a9541796..da19efbbb3 100644
--- a/mm/mempool/mempool_multiple.c
+++ b/mm/mempool/mempool_multiple.c
@@ -214,7 +214,7 @@ FAR void *mempool_multiple_realloc(FAR struct mempool_multiple_s *mpool,
 
       oldpool = *(FAR struct mempool_s **)
                 ((FAR char *)oldblk - SIZEOF_HEAD);
-      memcpy(blk, oldblk, MIN(oldpool->blocksize, size));
+      memcpy(blk, oldblk, MIN(oldpool->blocksize - SIZEOF_HEAD, size));
       mempool_multiple_free(mpool, oldblk);
     }