12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 |
- /* Reproduce a GNU malloc bug. */
- #include <malloc.h>
- #include <stdio.h>
- #include <string.h>
- #define size_t unsigned int
- int
- main (int argc, char *argv[])
- {
- char *dummy0;
- char *dummy1;
- char *fill_info_table1;
- char *over_top;
- size_t over_top_size = 0x3000;
- char *over_top_dup;
- size_t over_top_dup_size = 0x7000;
- char *x;
- size_t i;
- /* Here's what memory is supposed to look like (hex):
- size contents
- 3000 original_info_table, later fill_info_table1
- 3fa000 dummy0
- 3fa000 dummy1
- 6000 info_table_2
- 3000 over_top
- */
- /* mem: original_info_table */
- dummy0 = malloc (0x3fa000);
- /* mem: original_info_table, dummy0 */
- dummy1 = malloc (0x3fa000);
- /* mem: free, dummy0, dummy1, info_table_2 */
- fill_info_table1 = malloc (0x3000);
- /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */
- x = malloc (0x1000);
- free (x);
- /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */
- /* This is what loses; info_table_2 and freexx get combined unbeknownst
- to mmalloc, and mmalloc puts over_top in a section of memory which
- is on the free list as part of another block (where info_table_2 had
- been). */
- over_top = malloc (over_top_size);
- over_top_dup = malloc (over_top_dup_size);
- memset (over_top, 0, over_top_size);
- memset (over_top_dup, 1, over_top_dup_size);
- for (i = 0; i < over_top_size; ++i)
- if (over_top[i] != 0)
- {
- printf ("FAIL: malloc expands info table\n");
- return 0;
- }
- for (i = 0; i < over_top_dup_size; ++i)
- if (over_top_dup[i] != 1)
- {
- printf ("FAIL: malloc expands info table\n");
- return 0;
- }
- printf ("PASS: malloc expands info table\n");
- return 0;
- }
|