source-git / glibc

Clone
Source Code
GIT

Blame malloc/mallocbug.c

c8 c8s master
  1.   2ce81345bae3a2ccb379e11084fca0dda2cf100b
  2.   malloc
  3.   mallocbug.c
Blob History Raw
Packit Service 82fcde 
/* Reproduce a GNU malloc bug.  */
Packit Service 82fcde 
#include <malloc.h>
Packit Service 82fcde 
#include <stdio.h>
Packit Service 82fcde 
#include <string.h>
Packit Service 82fcde
Packit Service 82fcde 
#define size_t unsigned int
Packit Service 82fcde
Packit Service 82fcde 
/* Defined as global variables to avoid warnings about unused variables.  */
Packit Service 82fcde 
char *dummy0;
Packit Service 82fcde 
char *dummy1;
Packit Service 82fcde 
char *fill_info_table1;
Packit Service 82fcde
Packit Service 82fcde
Packit Service 82fcde 
int
Packit Service 82fcde 
main (int argc, char *argv[])
Packit Service 82fcde 
{
Packit Service 82fcde 
  char *over_top;
Packit Service 82fcde 
  size_t over_top_size = 0x3000;
Packit Service 82fcde 
  char *over_top_dup;
Packit Service 82fcde 
  size_t over_top_dup_size = 0x7000;
Packit Service 82fcde 
  char *x;
Packit Service 82fcde 
  size_t i;
Packit Service 82fcde
Packit Service 82fcde 
  /* Here's what memory is supposed to look like (hex):
Packit Service 82fcde 
        size  contents
Packit Service 82fcde 
        3000  original_info_table, later fill_info_table1
Packit Service 82fcde 
      3fa000  dummy0
Packit Service 82fcde 
      3fa000  dummy1
Packit Service 82fcde 
        6000  info_table_2
Packit Service 82fcde 
        3000  over_top
Packit Service 82fcde
Packit Service 82fcde 
   */
Packit Service 82fcde 
  /* mem: original_info_table */
Packit Service 82fcde 
  dummy0 = malloc (0x3fa000);
Packit Service 82fcde 
  /* mem: original_info_table, dummy0 */
Packit Service 82fcde 
  dummy1 = malloc (0x3fa000);
Packit Service 82fcde 
  /* mem: free, dummy0, dummy1, info_table_2 */
Packit Service 82fcde 
  fill_info_table1 = malloc (0x3000);
Packit Service 82fcde 
  /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */
Packit Service 82fcde
Packit Service 82fcde 
  x = malloc (0x1000);
Packit Service 82fcde 
  free (x);
Packit Service 82fcde 
  /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */
Packit Service 82fcde
Packit Service 82fcde 
  /* This is what loses; info_table_2 and freexx get combined unbeknownst
Packit Service 82fcde 
     to mmalloc, and mmalloc puts over_top in a section of memory which
Packit Service 82fcde 
     is on the free list as part of another block (where info_table_2 had
Packit Service 82fcde 
     been).  */
Packit Service 82fcde 
  over_top = malloc (over_top_size);
Packit Service 82fcde 
  over_top_dup = malloc (over_top_dup_size);
Packit Service 82fcde 
  memset (over_top, 0, over_top_size);
Packit Service 82fcde 
  memset (over_top_dup, 1, over_top_dup_size);
Packit Service 82fcde
Packit Service 82fcde 
  for (i = 0; i < over_top_size; ++i)
Packit Service 82fcde 
    if (over_top[i] != 0)
Packit Service 82fcde 
      {
Packit Service 82fcde 
        printf ("FAIL: malloc expands info table\n");
Packit Service 82fcde 
        return 0;
Packit Service 82fcde 
      }
Packit Service 82fcde
Packit Service 82fcde 
  for (i = 0; i < over_top_dup_size; ++i)
Packit Service 82fcde 
    if (over_top_dup[i] != 1)
Packit Service 82fcde 
      {
Packit Service 82fcde 
        printf ("FAIL: malloc expands info table\n");
Packit Service 82fcde 
        return 0;
Packit Service 82fcde 
      }
Packit Service 82fcde
Packit Service 82fcde 
  printf ("PASS: malloc expands info table\n");
Packit Service 82fcde 
  return 0;
Packit Service 82fcde 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation