Consider the case when the input is size 0. In this case,
buffer_pos will be 0 as well. The
realloc call in the
count == 0
branch will then effectively become a free.
realloc can sometimes return
NULL when a 0 is passed for
the size. The current code assumes that this only happens on a memory
allocation error and breaks out of the loop. This then becomes a double
free because the buffer is freed a second time, causing an abort.
The intent of the
realloc is probably to downsize the buffer to fit
the data exactly in order to make incorrect memory access more obvious.
This changes the code to skip this downsizing if the size of the input data
Signed-off-by: Denis Kasak email@example.com