Currently h_realloc does the following: if old_in_slab_region && size <= max_slab_size_class && get_size_info(size).size == old_size, the code simply returns the original pointer. This means that even if the pointer was already freed, the realloc would succeed, allowing realloc-after-free. Unlike what is done in deallocate_small, where it checks for unaligned free, double free, canary, and quarantine, h_realloc doesn't do any of these checks when the above condition holds.
Currently h_realloc does the following: if old_in_slab_region && size <= max_slab_size_class && get_size_info(size).size == old_size, the code simply returns the original pointer. This means that even if the pointer was already freed, the realloc would succeed, allowing realloc-after-free. Unlike what is done in deallocate_small, where it checks for unaligned free, double free, canary, and quarantine, h_realloc doesn't do any of these checks when the above condition holds.