Back to index

glibc  2.9
mallocbug.c
Go to the documentation of this file.
00001 /* Reproduce a GNU malloc bug.  */
00002 #include <malloc.h>
00003 #include <stdio.h>
00004 #include <string.h>
00005 
00006 #define size_t unsigned int
00007 
00008 int
00009 main (int argc, char *argv[])
00010 {
00011   char *dummy0;
00012   char *dummy1;
00013   char *fill_info_table1;
00014   char *over_top;
00015   size_t over_top_size = 0x3000;
00016   char *over_top_dup;
00017   size_t over_top_dup_size = 0x7000;
00018   char *x;
00019   size_t i;
00020 
00021   /* Here's what memory is supposed to look like (hex):
00022         size  contents
00023         3000  original_info_table, later fill_info_table1
00024       3fa000  dummy0
00025       3fa000  dummy1
00026         6000  info_table_2
00027        3000  over_top
00028 
00029        */
00030   /* mem: original_info_table */
00031   dummy0 = malloc (0x3fa000);
00032   /* mem: original_info_table, dummy0 */
00033   dummy1 = malloc (0x3fa000);
00034   /* mem: free, dummy0, dummy1, info_table_2 */
00035   fill_info_table1 = malloc (0x3000);
00036   /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */
00037 
00038   x = malloc (0x1000);
00039   free (x);
00040   /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */
00041 
00042   /* This is what loses; info_table_2 and freexx get combined unbeknownst
00043      to mmalloc, and mmalloc puts over_top in a section of memory which
00044      is on the free list as part of another block (where info_table_2 had
00045      been).  */
00046   over_top = malloc (over_top_size);
00047   over_top_dup = malloc (over_top_dup_size);
00048   memset (over_top, 0, over_top_size);
00049   memset (over_top_dup, 1, over_top_dup_size);
00050 
00051   for (i = 0; i < over_top_size; ++i)
00052     if (over_top[i] != 0)
00053       {
00054        printf ("FAIL: malloc expands info table\n");
00055        return 0;
00056       }
00057 
00058   for (i = 0; i < over_top_dup_size; ++i)
00059     if (over_top_dup[i] != 1)
00060       {
00061        printf ("FAIL: malloc expands info table\n");
00062        return 0;
00063       }
00064 
00065   printf ("PASS: malloc expands info table\n");
00066   return 0;
00067 }