From 9673abeab5e44d064724d43bf97eb0c0eedfe3a1 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Tue, 27 Sep 2011 01:00:02 +0200
Subject: [PATCH] unix: fix pointer ownership bug

libuv realloc'd a pointer that belonged to and was later freed by libev.
---
 src/unix/fs.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/unix/fs.c b/src/unix/fs.c
index ec24e8b3..f1974ca2 100644
--- a/src/unix/fs.c
+++ b/src/unix/fs.c
@@ -149,19 +149,20 @@ static int uv__fs_after(eio_req* eio) {
     case UV_FS_READLINK:
       if (req->result == -1) {
         req->ptr = NULL;
-      } else {
-        assert(req->result > 0);
-
-        if ((name = realloc(req->eio->ptr2, req->result + 1)) == NULL) {
-          /* Not enough memory. Reuse buffer, chop off last byte. */
-          name = req->eio->ptr2;
-          req->result--;
-        }
+        break;
+      }
+      assert(req->result > 0);
 
+      /* Make zero-terminated copy of req->eio->ptr2 */
+      if ((req->ptr = name = malloc(req->result + 1))) {
+        memcpy(name, req->eio->ptr2, req->result);
         name[req->result] = '\0';
-        req->ptr = name;
         req->result = 0;
       }
+      else {
+        req->errorno = ENOMEM;
+        req->result = -1;
+      }
       break;
 
     default: