fix realloc from small sized allocations with above PAGE_SIZE alignment

Large allocations don't always have a size larger than the maximum slab
size class because alignment larger than PAGE_SIZE is handled via large
allocations. The general case in realloc was assuming small sizes imply
slab allocations which isn't guaranteed.

Alignment above PAGE_SIZE is rare and realloc doesn't preserve alignment
so passing aligned allocations to realloc is also rare. In practice, it
ends up doing invalid accesses within the reserved metadata region which
will almost always crash due to it being largely PROT_NONE memory and it
having an extremely high likelihood of indexing into the PROT_NONE areas
rather than the actual metadata. That means if this impacted an app, it
would currently be crashing in practice. Due to the reserved region for
metadata and the fact that it would be crashing, this can be ruled out
as a security concern but is potentially an extremely rare compatibility
issue if there's any code using this.

Reported-by: Stefan Rus <stefan@photonspark.com>

Author: thestinger

h_malloc.c

@@ -1530,7 +1530,8 @@ EXPORT void *h_realloc(void *old, size_t size) {
     old = untag_pointer(old);
 
     size_t old_size;
-    if (old < get_slab_region_end() && old >= ro.slab_region_start) {
+    bool old_in_slab_region = old < get_slab_region_end() && old >= ro.slab_region_start;
+    if (old_in_slab_region) {
         old_size = slab_usable_size(old);
         if (size <= max_slab_size_class && get_size_info(size).size == old_size) {
             return old_orig;
@@ -1647,7 +1648,7 @@ EXPORT void *h_realloc(void *old, size_t size) {
         copy_size -= canary_size;
     }
     memcpy(new, old_orig, copy_size);
-    if (old_size <= max_slab_size_class) {
+    if (old_in_slab_region) {
         deallocate_small(old, NULL);
     } else {
         deallocate_large(old, NULL);