52 lines
1.1 KiB
C
52 lines
1.1 KiB
C
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <assert.h>
|
|
#include <string.h>
|
|
#include <stdint.h>
|
|
|
|
#include <mimalloc.h>
|
|
#include <mimalloc-override.h> // redefines malloc etc.
|
|
|
|
static void double_free();
|
|
|
|
int main() {
|
|
mi_version();
|
|
double_free();
|
|
void* p1 = malloc(78);
|
|
void* p2 = malloc(24);
|
|
free(p1);
|
|
p1 = malloc(8);
|
|
//char* s = strdup("hello\n");
|
|
free(p2);
|
|
p2 = malloc(16);
|
|
p1 = realloc(p1, 32);
|
|
free(p1);
|
|
free(p2);
|
|
//free(s);
|
|
//mi_collect(true);
|
|
|
|
/* now test if override worked by allocating/freeing across the api's*/
|
|
//p1 = mi_malloc(32);
|
|
//free(p1);
|
|
//p2 = malloc(32);
|
|
//mi_free(p2);
|
|
mi_stats_print(NULL);
|
|
return 0;
|
|
}
|
|
|
|
static void double_free() {
|
|
void* p[256];
|
|
uintptr_t buf[256];
|
|
|
|
p[0] = mi_malloc(622616);
|
|
p[1] = mi_malloc(655362);
|
|
p[2] = mi_malloc(786432);
|
|
mi_free(p[2]);
|
|
// [VULN] Double free
|
|
mi_free(p[2]);
|
|
p[3] = mi_malloc(786456);
|
|
// [BUG] Found overlap
|
|
// p[3]=0x429b2ea2000 (size=917504), p[1]=0x429b2e42000 (size=786432)
|
|
fprintf(stderr, "p3: %p-%p, p1: %p-%p, p2: %p\n", p[3], (uint8_t*)(p[3]) + 786456, p[1], (uint8_t*)(p[1]) + 655362, p[2]);
|
|
}
|