diff options
author | Rich Felker <dalias@aerifal.cx> | 2011-03-23 13:24:00 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2011-03-23 13:24:00 -0400 |
commit | 095820016689dfdc9141f477a86de22054c86078 (patch) | |
tree | 23543ebec48463f5481441beb8c549b7456b3c1e /src | |
parent | aa398f56fa398f2202b04e82c67f822f3233786f (diff) | |
download | musl-095820016689dfdc9141f477a86de22054c86078.tar.gz musl-095820016689dfdc9141f477a86de22054c86078.tar.bz2 musl-095820016689dfdc9141f477a86de22054c86078.tar.xz musl-095820016689dfdc9141f477a86de22054c86078.zip |
very cheap double-free checks in malloc
Diffstat (limited to 'src')
-rw-r--r-- | src/malloc/malloc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/malloc/malloc.c b/src/malloc/malloc.c index 3c08c41e..a4eefda9 100644 --- a/src/malloc/malloc.c +++ b/src/malloc/malloc.c @@ -393,6 +393,8 @@ void *realloc(void *p, size_t n) char *base = (char *)self - extra; size_t oldlen = n0 + extra; size_t newlen = n + extra; + /* Crash on realloc of freed chunk */ + if ((uintptr_t)base < mal.brk) *(char *)0=0; if (newlen < PAGE_SIZE && (new = malloc(n))) { memcpy(new, p, n-OVERHEAD); free(p); @@ -454,6 +456,8 @@ void free(void *p) size_t extra = self->data[-1]; char *base = (char *)self - extra; size_t len = CHUNK_SIZE(self) + extra; + /* Crash on double free */ + if ((uintptr_t)base < mal.brk) *(char *)0=0; __munmap(base, len); return; } |