Fixed a memory corruption bug for 32-bit builds

On a 32-bit build, sizeof(upb_Array) was not aligned to 8, and so we were allocating a block of memory that was too small. Our 32-bit GitHub tests did not catch this, probably because the 32-bit build is not running ASAN. The bug manifested in the 32-bit PHP build. PiperOrigin-RevId: 478488507
protocolbuffers · Oct 3, 2022 · 5732824 · 5732824
1 parent 259183b
commit 5732824
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/upb/internal/array.h b/upb/internal/array.h
@@ -69,8 +69,8 @@ UPB_INLINE uintptr_t _upb_tag_arrptr(void* ptr, int elem_size_lg2) {
 
 UPB_INLINE upb_Array* _upb_Array_New(upb_Arena* a, size_t init_capacity,
                                      int elem_size_lg2) {
-  const size_t arr_size = UPB_ALIGN_UP(sizeof(upb_Array), 8);
-  const size_t bytes = sizeof(upb_Array) + (init_capacity << elem_size_lg2);
+  const size_t arr_size = UPB_ALIGN_UP(sizeof(upb_Array), UPB_MALLOC_ALIGN);
+  const size_t bytes = arr_size + (init_capacity << elem_size_lg2);
   upb_Array* arr = (upb_Array*)upb_Arena_Malloc(a, bytes);
   if (!arr) return NULL;
   arr->data = _upb_tag_arrptr(UPB_PTR_AT(arr, arr_size, void), elem_size_lg2);