-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpoc2.c
47 lines (39 loc) · 980 Bytes
/
poc2.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <jemalloc/jemalloc.h>
#define assert(expr) if(!(expr)){printf("assert error.\n");}
int g_fd;
void print_my_jemalloc_data(void *opaque, const char *buf){
write(g_fd,buf,strlen(buf));
}
int main(){
/*
int fd = open("heap_stats.out",O_CREAT|O_WRONLY,0666);
g_fd = fd;
malloc_stats_print(print_my_jemalloc_data,NULL,NULL);
*/
// [PRE-CONDITION]
// sz : any size
// [BUG] double free
// [POST-CONDITION]
// malloc(sz) == malloc(sz)
int sz = 0x100;
void* p = malloc(sz);
//printf("0x%p\n", malloc(sz));
printf("0x%p\n", p+0x200);
free(p+0x200);
printf("0x%p\n", malloc(sz));
// [BUG] free ’p’ again
// this is allowed due to lack of security checks
//free(p);
//free(p);
//assert(malloc(sz) == malloc(sz));
//printf("0x%p\n", malloc(sz));
//printf("0x%p\n", malloc(sz));
//printf("0x%p\n", malloc(sz));
return 0;
}