Iliyan Malchev | c322989 | 2011-08-08 11:24:41 -0700 | [diff] [blame] | 1 | #include <stdio.h> |
| 2 | #include <stdlib.h> |
| 3 | #include <stdarg.h> |
| 4 | |
| 5 | static void printf_log(const char *fmt, ...) |
| 6 | { |
| 7 | va_list lst; |
| 8 | va_start(lst, fmt); |
| 9 | vprintf(fmt, lst); |
| 10 | va_end(lst); |
| 11 | } |
| 12 | |
| 13 | /* Override this for non-printf reporting */ |
| 14 | extern void (*malloc_log)(const char *fmt, ...); |
| 15 | static void ctor(void) __attribute__((constructor)); |
| 16 | static void ctor(void) |
| 17 | { |
| 18 | malloc_log = printf_log; |
| 19 | } |
| 20 | |
| 21 | int main(void) |
| 22 | { |
| 23 | char *ptr[6]; |
| 24 | char *uaf; |
| 25 | char *cf, *cb; |
| 26 | |
| 27 | ptr[0] = malloc(10); |
| 28 | ptr[1] = calloc(1,20); |
| 29 | ptr[2] = malloc(30); |
| 30 | ptr[3] = malloc(40); |
| 31 | ptr[4] = malloc(50); |
| 32 | ptr[5] = malloc(60); |
| 33 | |
| 34 | free(ptr[1]); |
| 35 | free(ptr[1]); |
| 36 | free(ptr[2]); |
| 37 | ptr[2] = realloc(ptr[2], 300); |
| 38 | // free(ptr[2]); |
| 39 | // free(ptr[2]); |
| 40 | |
| 41 | uaf = ptr[3]; |
| 42 | free(uaf); |
| 43 | uaf[5] = 'a'; |
| 44 | |
| 45 | cf = ptr[4]; |
| 46 | cf[-1] = 'a'; |
| 47 | |
| 48 | cb = ptr[5]; |
| 49 | cb[60] = 'a'; |
| 50 | |
| 51 | sleep(10); |
| 52 | |
| 53 | return 0; |
| 54 | } |