CID 276460: Memory - Illegal access (Use after free)
In tests/unity/unity_fixture.c:
void* unity_realloc(void* oldMem, size_t size)
277{
1. alias: Assigning: guard = oldMem. Now both point to the same storage.
278 Guard* guard = (Guard*)oldMem;
279 void* newMem;
280
2. Condition oldMem == NULL, taking false branch.
281 if (oldMem == NULL) { return unity_malloc(size);
282}
283
284 guard--;
3. Condition isOverrun(oldMem), taking true branch.
285 if (isOverrun(oldMem))
286 {
4. freed_arg: release_memory frees oldMem. [show details]
287 release_memory(oldMem);
288 UNITY_TEST_FAIL(Unity.CurrentTestLineNumber, "Buffer overrun detected during realloc()");
289 }
290
5. Condition size == 0, taking false branch.
291 if (size == 0)
292 {
CID 276460 (#2 of 4): Use after free (USE_AFTER_FREE) [select issue]
293 release_memory(oldMem);
294 return NULL;
295 }
296
CID 276460 (#1 of 4): Use after free (USE_AFTER_FREE) [select issue]
6. Condition guard->size >= size, taking false branch.
297 if (guard->size >= size) { return oldMem;
298}
299
300#ifdef UNITY_EXCLUDE_STDLIB_MALLOC /* Optimization if memory is expandable */
301 if (oldMem == unity_heap + heap_index - guard->size - sizeof(end) &&
302 heap_index + size - guard->size <= UNITY_INTERNAL_HEAP_SIZE_BYTES)
303 {
304 release_memory(oldMem); /* Not thread-safe, like unity_heap generally */
305 return unity_malloc(size); /* No memcpy since data is in place */
306 }
307#endif
308 newMem = unity_malloc(size);
7. Condition newMem == NULL, taking false branch.
309 if (newMem == NULL) { return NULL; /* Do not release old memory */
310}
CID 276460 (#3-4 of 4): Use after free (USE_AFTER_FREE)
8. deref_arg: Calling memcpy dereferences freed pointer oldMem. [Note: The source code implementation of the function has been overridden by a builtin model.]
311 memcpy(newMem, oldMem, guard->size);
312 release_memory(oldMem);
313 return newMem;
314}
276460 Use after free
This could cause an immediate crash or incorrect values might be read subsequently resulting in incorrect computations.
In unity_realloc: A pointer to freed memory is dereferenced, used as a function argument, or otherwise used (CWE-416)
This code has not changed recently since August 2019. I'm not sure why Coverity only sees this problem now, when there's been to recent updates and we scan weekly.