1/* Reproduce a GNU malloc bug. */
2#include <malloc.h>
3#include <stdio.h>
4#include <string.h>
5
6#define size_t unsigned int
7
8/* Defined as global variables to avoid warnings about unused variables. */
9char *dummy0;
10char *dummy1;
11char *fill_info_table1;
12
13
14int
15main (int argc, char *argv[])
16{
17 char *over_top;
18 size_t over_top_size = 0x3000;
19 char *over_top_dup;
20 size_t over_top_dup_size = 0x7000;
21 char *x;
22 size_t i;
23
24 /* Here's what memory is supposed to look like (hex):
25 size contents
26 3000 original_info_table, later fill_info_table1
27 3fa000 dummy0
28 3fa000 dummy1
29 6000 info_table_2
30 3000 over_top
31
32 */
33 /* mem: original_info_table */
34 dummy0 = malloc (size: 0x3fa000);
35 /* mem: original_info_table, dummy0 */
36 dummy1 = malloc (size: 0x3fa000);
37 /* mem: free, dummy0, dummy1, info_table_2 */
38 fill_info_table1 = malloc (size: 0x3000);
39 /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */
40
41 x = malloc (size: 0x1000);
42 free (ptr: x);
43 /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */
44
45 /* This is what loses; info_table_2 and freexx get combined unbeknownst
46 to mmalloc, and mmalloc puts over_top in a section of memory which
47 is on the free list as part of another block (where info_table_2 had
48 been). */
49 over_top = malloc (size: over_top_size);
50 over_top_dup = malloc (size: over_top_dup_size);
51 memset (s: over_top, c: 0, n: over_top_size);
52 memset (s: over_top_dup, c: 1, n: over_top_dup_size);
53
54 for (i = 0; i < over_top_size; ++i)
55 if (over_top[i] != 0)
56 {
57 printf (format: "FAIL: malloc expands info table\n");
58 return 0;
59 }
60
61 for (i = 0; i < over_top_dup_size; ++i)
62 if (over_top_dup[i] != 1)
63 {
64 printf (format: "FAIL: malloc expands info table\n");
65 return 0;
66 }
67
68 printf (format: "PASS: malloc expands info table\n");
69 return 0;
70}
71

source code of glibc/malloc/mallocbug.c