Bug 3397 - free() aborts with invalid pointer message
Summary: free() aborts with invalid pointer message
Status: RESOLVED INVALID
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-10-19 16:42 UTC by Alexander Eichner
Modified: 2016-08-22 13:38 UTC (History)
1 user (show)

See Also:
Host: i686-pc-gnu-linux
Target: i686-pc-gnu-linux
Build: i686-pc-gnu-linux
Last reconfirmed:
fweimer: security-

Attachments
test case for the described bug (1.07 KB, text/x-csrc)
2006-10-19 16:43 UTC, Alexander Eichner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Eichner 2006-10-19 16:42:04 UTC 
Distribution: LFS http://www.linuxfromscratch.org
glibc version: 2.5
glibc configure options: --prefix=/usr --disable-profile --enable-add-ons   
                         --enable-kernel=2.6.0 --libexecdir=/usr/lib/glibc
kernel version: Linux lfs 2.6.18 #6 PREEMPT Thu Sep 28 14:58:32 CEST 2006 
                i686 athlon-4 i386 GNU/Linux
glibc build toolchain versions: gcc 4.1.0
                                binutils 2.17

Description: free() aborts the process with invalid pointer message if         
     
             malloc was called with a specific value (in test program 241056 Byte)
             or if free is called serial, but with different pointers

Steps to reproduce: 

1. compile code with gcc -g -O0 -o sobel_test sobel_test.c
2. start program (program should abort with output shown below)
3. change #define WIDTH 324 to #define WIDTH 325 (line 5) 
   or 
   remove free(vertical_sobel_image) (line 136)
4. compile code with gcc -g -O0 -o sobel_test sobel_test.c
5. start program (program should exit normally)

Debug output:

*** glibc detected *** ./sobel_test: free(): invalid pointer: 0xb7df7008 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7ed1a30]
/lib/libc.so.6(__libc_free+0x89)[0xb7ed3099]
./sobel_test[0x804870f]
./sobel_test[0x8048485]
/lib/libc.so.6(__libc_start_main+0xd8)[0xb7e837c8]
./sobel_test[0x8048311]
======= Memory map: ========
08048000-08049000 r-xp 00000000 03:41 16565444   /home/alexander/sobel_test
08049000-0804a000 rw-p 00000000 03:41 16565444   /home/alexander/sobel_test
b7c00000-b7c21000 rw-p b7c00000 00:00 0 
b7c21000-b7d00000 ---p b7c21000 00:00 0 
b7db1000-b7dbb000 r-xp 00000000 03:02 2168783    /usr/lib/libgcc_s.so.1
b7dbb000-b7dbc000 rw-p 00009000 03:02 2168783    /usr/lib/libgcc_s.so.1
b7dbc000-b7e6e000 rw-p b7dbc000 00:00 0 
b7e6e000-b7f91000 r-xp 00000000 03:02 2142662    /lib/libc-2.5.so
b7f91000-b7f92000 r--p 00123000 03:02 2142662    /lib/libc-2.5.so
b7f92000-b7f94000 rw-p 00124000 03:02 2142662    /lib/libc-2.5.so
b7f94000-b7f98000 rw-p b7f94000 00:00 0 
b7fba000-b7fbb000 r-xp b7fba000 00:00 0          [vdso]
b7fbb000-b7fd5000 r-xp 00000000 03:02 2142809    /lib/ld-2.5.so
b7fd5000-b7fd6000 r--p 00019000 03:02 2142809    /lib/ld-2.5.so
b7fd6000-b7fd7000 rw-p 0001a000 03:02 2142809    /lib/ld-2.5.so
bf802000-bf818000 rw-p bf802000 00:00 0          [stack]

this was also tested with Fedora Core 5 with the same result
(glibc version 2.4)
Comment 1 Alexander Eichner 2006-10-19 16:43:02 UTC 
Created attachment 1379 [details]
test case for the described bug
Comment 2 Alexander Eichner 2006-10-20 12:46:19 UTC 
mistake in sobel_test.c found.