msgs.msgs[rp->index].dump[len1] = '\0'; // add null terminator
after
realloc(msgs.msgs[rp->index].dump, sizeof(*tmp)*len1)
is an out-of-bounds write. The last valid index is len1 - 1
.
With the code still aborting after that has been fixed, it might be that
// rp->line is malloc'ed then bzero'ed and strcpy'ed to contain the log line read from file
strcat(msgs.msgs[rp->index].dump, rp->line);
the strcpy
to rp->line
wrote outside the allocated buffer. The only other candidate I can see in the function is
msgs.msgs[rp->index].dump
If that is not 0-terminated, the strlen
can run off the allocated buffer, and the strcat
afterward can again write outside the allocated memory. The latter can be avoided by setting
msgs.msgs[rp->index].dump[len0] = 0;
after the realloc and before the strcat
.
Setting rp
to NULL
after freeing
free(rp);
// prevent double free
rp = NULL;
is pointless, since rp
is a local variable, and the function returns immediately after. The passed-in pointer params
still holds the old address (strictly, its value becomes indeterminate, but in practice, the bits won't change) in the caller. That opens the possibility that the caller believes the pointer still points to valid memory.