]>
Commit | Line | Data |
---|---|---|
f65fd747 UD |
1 | /* Reproduce a GNU malloc bug. */ |
2 | #include <malloc.h> | |
3 | #include <stdio.h> | |
4 | #include <string.h> | |
5 | ||
6 | #define size_t unsigned int | |
7 | ||
8 | int | |
9 | main (int argc, char *argv[]) | |
10 | { | |
11 | char *dummy0; | |
12 | char *dummy1; | |
13 | char *fill_info_table1; | |
14 | char *over_top; | |
15 | size_t over_top_size = 0x3000; | |
16 | char *over_top_dup; | |
17 | size_t over_top_dup_size = 0x7000; | |
18 | char *x; | |
19 | size_t i; | |
20 | ||
21 | /* Here's what memory is supposed to look like (hex): | |
22 | size contents | |
23 | 3000 original_info_table, later fill_info_table1 | |
24 | 3fa000 dummy0 | |
25 | 3fa000 dummy1 | |
26 | 6000 info_table_2 | |
27 | 3000 over_top | |
28 | ||
29 | */ | |
30 | /* mem: original_info_table */ | |
31 | dummy0 = malloc (0x3fa000); | |
32 | /* mem: original_info_table, dummy0 */ | |
33 | dummy1 = malloc (0x3fa000); | |
34 | /* mem: free, dummy0, dummy1, info_table_2 */ | |
35 | fill_info_table1 = malloc (0x3000); | |
36 | /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */ | |
37 | ||
38 | x = malloc (0x1000); | |
39 | free (x); | |
40 | /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */ | |
41 | ||
42 | /* This is what loses; info_table_2 and freexx get combined unbeknownst | |
43 | to mmalloc, and mmalloc puts over_top in a section of memory which | |
44 | is on the free list as part of another block (where info_table_2 had | |
45 | been). */ | |
46 | over_top = malloc (over_top_size); | |
47 | over_top_dup = malloc (over_top_dup_size); | |
48 | memset (over_top, 0, over_top_size); | |
49 | memset (over_top_dup, 1, over_top_dup_size); | |
50 | ||
51 | for (i = 0; i < over_top_size; ++i) | |
52 | if (over_top[i] != 0) | |
53 | { | |
54 | printf ("FAIL: malloc expands info table\n"); | |
55 | return 0; | |
56 | } | |
57 | ||
58 | for (i = 0; i < over_top_dup_size; ++i) | |
59 | if (over_top_dup[i] != 1) | |
60 | { | |
61 | printf ("FAIL: malloc expands info table\n"); | |
62 | return 0; | |
63 | } | |
64 | ||
65 | printf ("PASS: malloc expands info table\n"); | |
66 | return 0; | |
67 | } |