]>
Commit | Line | Data |
---|---|---|
f65fd747 UD |
1 | /* Reproduce a GNU malloc bug. */ |
2 | #include <malloc.h> | |
3 | #include <stdio.h> | |
4 | #include <string.h> | |
5 | ||
6 | #define size_t unsigned int | |
7 | ||
05f3d1f6 UD |
8 | /* Defined as global variables to avoid warnings about unused variables. */ |
9 | char *dummy0; | |
10 | char *dummy1; | |
11 | char *fill_info_table1; | |
12 | ||
13 | ||
f65fd747 UD |
14 | int |
15 | main (int argc, char *argv[]) | |
16 | { | |
f65fd747 UD |
17 | char *over_top; |
18 | size_t over_top_size = 0x3000; | |
19 | char *over_top_dup; | |
20 | size_t over_top_dup_size = 0x7000; | |
21 | char *x; | |
22 | size_t i; | |
23 | ||
24 | /* Here's what memory is supposed to look like (hex): | |
6c8dbf00 OB |
25 | size contents |
26 | 3000 original_info_table, later fill_info_table1 | |
f65fd747 UD |
27 | 3fa000 dummy0 |
28 | 3fa000 dummy1 | |
6c8dbf00 OB |
29 | 6000 info_table_2 |
30 | 3000 over_top | |
f65fd747 | 31 | |
6c8dbf00 | 32 | */ |
f65fd747 UD |
33 | /* mem: original_info_table */ |
34 | dummy0 = malloc (0x3fa000); | |
35 | /* mem: original_info_table, dummy0 */ | |
36 | dummy1 = malloc (0x3fa000); | |
37 | /* mem: free, dummy0, dummy1, info_table_2 */ | |
38 | fill_info_table1 = malloc (0x3000); | |
39 | /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */ | |
40 | ||
41 | x = malloc (0x1000); | |
42 | free (x); | |
43 | /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */ | |
44 | ||
45 | /* This is what loses; info_table_2 and freexx get combined unbeknownst | |
46 | to mmalloc, and mmalloc puts over_top in a section of memory which | |
47 | is on the free list as part of another block (where info_table_2 had | |
48 | been). */ | |
49 | over_top = malloc (over_top_size); | |
50 | over_top_dup = malloc (over_top_dup_size); | |
51 | memset (over_top, 0, over_top_size); | |
52 | memset (over_top_dup, 1, over_top_dup_size); | |
53 | ||
54 | for (i = 0; i < over_top_size; ++i) | |
55 | if (over_top[i] != 0) | |
56 | { | |
6c8dbf00 OB |
57 | printf ("FAIL: malloc expands info table\n"); |
58 | return 0; | |
f65fd747 UD |
59 | } |
60 | ||
61 | for (i = 0; i < over_top_dup_size; ++i) | |
62 | if (over_top_dup[i] != 1) | |
63 | { | |
6c8dbf00 OB |
64 | printf ("FAIL: malloc expands info table\n"); |
65 | return 0; | |
f65fd747 UD |
66 | } |
67 | ||
68 | printf ("PASS: malloc expands info table\n"); | |
69 | return 0; | |
70 | } |