realloc(): Invalid next size C dump

Question

I'm having some serious trouble with this function: When the trace reaches the realloc, it blows up. I've checked similar questions on this subject but nothing came out. I hope you can help me. Do you see anything wrong?

char **tokenizepath(char *path){    

    char str[256]; // buffer;
    char **token=NULL;
    char *saveptr; 
    int i=1;
    size_t tam = sizeof(char*);

    token = malloc(2 * tam);
    strcpy(str, path);

    if(str[0]=='\\'){
        token[0] = "\\";
        token[i++] = strtok_r(str, "\\", &saveptr);
    }else{
        token[0] = strtok_r(str, "\\", &saveptr);
    }

    while((token[i]=strtok_r(NULL, "\\", &saveptr))!=NULL){
        i++;
        token = realloc(token, (i+1)*sizeof(char*));
    }

    return token;

}

Here is the backtrace:

* glibc detected * /home/vlad/workspace_SisOp/RFSDev/Debug/RFSDev: realloc(): invalid next size: 0x0000000000605290 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7a6e6)[0x7ffff7ab56e6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7d3e7)[0x7ffff7ab83e7]
/lib/x86_64-linux-gnu/libc.so.6(realloc+0xf9)[0x7ffff7ab9b39]
/home/vlad/workspace_SisOp/RFSDev/Debug/RFSDev[0x40319b]
/home/vlad/workspace_SisOp/RFSDev/Debug/RFSDev[0x400c31]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7ffff7a5c30d]
/home/vlad/workspace_SisOp/RFSDev/Debug/RFSDev[0x400aa9]
======= Memory map: ========
00400000-00404000 r-xp 00000000 00:14 542669                             /home/vlad/workspace_SisOp/RFSDev/Debug/RFSDev
00603000-00604000 r--p 00003000 00:14 542669                             /home/vlad/workspace_SisOp/RFSDev/Debug/RFSDev
00604000-00605000 rw-p 00004000 00:14 542669                             /home/vlad/workspace_SisOp/RFSDev/Debug/RFSDev
00605000-00626000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff5ad9000-7ffff5aee000 r-xp 00000000 08:16 526333                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff5aee000-7ffff5ced000 ---p 00015000 08:16 526333                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff5ced000-7ffff5cee000 r--p 00014000 08:16 526333                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff5cee000-7ffff5cef000 rw-p 00015000 08:16 526333                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff5cef000-7ffff7a3b000 rw-p 00000000 00:14 273074                     /home/vlad/Sistemas Operativos/ext2.disk
7ffff7a3b000-7ffff7bd2000 r-xp 00000000 08:16 526221                     /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7bd2000-7ffff7dd1000 ---p 00197000 08:16 526221                     /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7dd1000-7ffff7dd5000 r--p 00196000 08:16 526221                     /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7dd5000-7ffff7dd6000 rw-p 0019a000 08:16 526221                     /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7dd6000-7ffff7ddc000 rw-p 00000000 00:00 0 
7ffff7ddc000-7ffff7dfd000 r-xp 00000000 08:16 523159                     /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7fe2000-7ffff7fe5000 rw-p 00000000 00:00 0 
7ffff7ff9000-7ffff7ffb000 rw-p 00000000 00:00 0 
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00020000 08:16 523159                     /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffd000-7ffff7fff000 rw-p 00021000 08:16 523159                     /lib/x86_64-linux-gnu/ld-2.13.so
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Thanks in advance!

Answer 1

If the first test is TRUE:

if(str[0]=='\\'){

then in the first iteration of the following while loop:

while((token[i]=strtok_r(NULL, "\\", &saveptr))!=NULL){

i == 2 and you are attempting to access token[2] before it's been allocated.

---

Another problem: if the token array moves after a call to realloc (because realloc couldn't increase the size without moving it), then saveptr will no longer be valid.