Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
glibc/malloc/mallocbug.c
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
70 lines (59 sloc)
1.78 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Reproduce a GNU malloc bug. */ | |
| #include <malloc.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| #define size_t unsigned int | |
| /* Defined as global variables to avoid warnings about unused variables. */ | |
| char *dummy0; | |
| char *dummy1; | |
| char *fill_info_table1; | |
| int | |
| main (int argc, char *argv[]) | |
| { | |
| char *over_top; | |
| size_t over_top_size = 0x3000; | |
| char *over_top_dup; | |
| size_t over_top_dup_size = 0x7000; | |
| char *x; | |
| size_t i; | |
| /* Here's what memory is supposed to look like (hex): | |
| size contents | |
| 3000 original_info_table, later fill_info_table1 | |
| 3fa000 dummy0 | |
| 3fa000 dummy1 | |
| 6000 info_table_2 | |
| 3000 over_top | |
| */ | |
| /* mem: original_info_table */ | |
| dummy0 = malloc (0x3fa000); | |
| /* mem: original_info_table, dummy0 */ | |
| dummy1 = malloc (0x3fa000); | |
| /* mem: free, dummy0, dummy1, info_table_2 */ | |
| fill_info_table1 = malloc (0x3000); | |
| /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */ | |
| x = malloc (0x1000); | |
| free (x); | |
| /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */ | |
| /* This is what loses; info_table_2 and freexx get combined unbeknownst | |
| to mmalloc, and mmalloc puts over_top in a section of memory which | |
| is on the free list as part of another block (where info_table_2 had | |
| been). */ | |
| over_top = malloc (over_top_size); | |
| over_top_dup = malloc (over_top_dup_size); | |
| memset (over_top, 0, over_top_size); | |
| memset (over_top_dup, 1, over_top_dup_size); | |
| for (i = 0; i < over_top_size; ++i) | |
| if (over_top[i] != 0) | |
| { | |
| printf ("FAIL: malloc expands info table\n"); | |
| return 0; | |
| } | |
| for (i = 0; i < over_top_dup_size; ++i) | |
| if (over_top_dup[i] != 1) | |
| { | |
| printf ("FAIL: malloc expands info table\n"); | |
| return 0; | |
| } | |
| printf ("PASS: malloc expands info table\n"); | |
| return 0; | |
| } |