The array size variable must be set after calling a function that takes a ref array
Vala code:
void func(ref int[] arr) {
arr = new int[1];
}
void main() {
int[] arr = new int[100];
func(ref arr);
arr += 1;
}
Generated C code:
void
func (gint** arr,
gint* arr_length1)
{
gint* _tmp0_;
_tmp0_ = g_new0 (gint, 1);
*arr = (g_free (*arr), NULL);
*arr = _tmp0_;
*arr_length1 = 1;
}
static void
_vala_array_add1 (gint* * array,
gint* length,
gint* size,
gint value)
{
if ((*length) == (*size)) {
*size = (*size) ? (2 * (*size)) : 4;
*array = g_renew (gint, *array, *size);
}
(*array)[(*length)++] = value;
}
void
_vala_main (void)
{
gint* arr = NULL;
gint* _tmp0_;
gint arr_length1;
gint _arr_size_;
_tmp0_ = g_new0 (gint, 100);
arr = _tmp0_;
arr_length1 = 100;
_arr_size_ = arr_length1;
func (&arr, (gint*) (&arr_length1));
_vala_array_add1 (&arr, &arr_length1, &_arr_size_, 1);
arr = (g_free (arr), NULL);
}
Note that there is a missing _arr_size_ = arr_length1;
after func (&arr, (gint*) (&arr_length1));
. Therefore there will be an invalid write inside _vala_array_add1
since the function thinks the allocated size is still 100.