| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 | /* Reproduce a GNU malloc bug.  */
#include <malloc.h>
#include <stdio.h>
#include <string.h>
#define size_t unsigned int
int
main (int argc, char *argv[])
{
  char *dummy0;
  char *dummy1;
  char *fill_info_table1;
  char *over_top;
  size_t over_top_size = 0x3000;
  char *over_top_dup;
  size_t over_top_dup_size = 0x7000;
  char *x;
  size_t i;
  /* Here's what memory is supposed to look like (hex):
        size  contents
        3000  original_info_table, later fill_info_table1
      3fa000  dummy0
      3fa000  dummy1
        6000  info_table_2
	3000  over_top
	*/
  /* mem: original_info_table */
  dummy0 = malloc (0x3fa000);
  /* mem: original_info_table, dummy0 */
  dummy1 = malloc (0x3fa000);
  /* mem: free, dummy0, dummy1, info_table_2 */
  fill_info_table1 = malloc (0x3000);
  /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */
  x = malloc (0x1000);
  free (x);
  /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */
  /* This is what loses; info_table_2 and freexx get combined unbeknownst
     to mmalloc, and mmalloc puts over_top in a section of memory which
     is on the free list as part of another block (where info_table_2 had
     been).  */
  over_top = malloc (over_top_size);
  over_top_dup = malloc (over_top_dup_size);
  memset (over_top, 0, over_top_size);
  memset (over_top_dup, 1, over_top_dup_size);
  for (i = 0; i < over_top_size; ++i)
    if (over_top[i] != 0)
      {
	printf ("FAIL: malloc expands info table\n");
	return 0;
      }
  for (i = 0; i < over_top_dup_size; ++i)
    if (over_top_dup[i] != 1)
      {
	printf ("FAIL: malloc expands info table\n");
	return 0;
      }
  printf ("PASS: malloc expands info table\n");
  return 0;
}
 |