From ce7c6341d38ecd3af4d1e01032e9ea8b4078aa97 Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Mon, 15 Aug 2011 01:59:15 -0400 Subject: simplify and improve double-free check a valid mmapped block will have an even (actually aligned) "extra" field, whereas a freed chunk on the heap will always have an in-use neighbor. this fixes a potential bug if mmap ever allocated memory below the main program/brk (in which case it would be wrongly-detected as a double-free by the old code) and allows the double-free check to work for donated memory outside of the brk area (or, in the future, secondary heap zones if support for their creation is added). --- src/malloc/malloc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/malloc') diff --git a/src/malloc/malloc.c b/src/malloc/malloc.c index db4287ef..0888afa9 100644 --- a/src/malloc/malloc.c +++ b/src/malloc/malloc.c @@ -394,7 +394,7 @@ void *realloc(void *p, size_t n) size_t oldlen = n0 + extra; size_t newlen = n + extra; /* Crash on realloc of freed chunk */ - if ((uintptr_t)base < mal.brk) *(volatile char *)0=0; + if (extra & 1) *(volatile char *)0=0; if (newlen < PAGE_SIZE && (new = malloc(n))) { memcpy(new, p, n-OVERHEAD); free(p); @@ -457,7 +457,7 @@ void free(void *p) char *base = (char *)self - extra; size_t len = CHUNK_SIZE(self) + extra; /* Crash on double free */ - if ((uintptr_t)base < mal.brk) *(volatile char *)0=0; + if (extra & 1) *(volatile char *)0=0; __munmap(base, len); return; } -- cgit v1.2.1