1: /* Reproduce a GNU malloc bug.  */
    2: #include <malloc.h>
    3: #include <stdio.h>
    4: #include <string.h>
    5: 
    6: #define size_t unsigned int
    7: 
    8: int
    9: main (int argc, char *argv[])
   10: {
   11:   char *dummy0;
   12:   char *dummy1;
   13:   char *fill_info_table1;
   14:   char *over_top;
   15:   size_t over_top_size = 0x3000;
   16:   char *over_top_dup;
   17:   size_t over_top_dup_size = 0x7000;
   18:   char *x;
   19:   size_t i;
   20: 
   21:   /* Here's what memory is supposed to look like (hex):
   22:         size  contents
   23:         3000  original_info_table, later fill_info_table1
   24:       3fa000  dummy0
   25:       3fa000  dummy1
   26:         6000  info_table_2
   27:         3000  over_top
   28: 
   29:         */
   30:   /* mem: original_info_table */
   31:   dummy0 = malloc (0x3fa000);
   32:   /* mem: original_info_table, dummy0 */
   33:   dummy1 = malloc (0x3fa000);
   34:   /* mem: free, dummy0, dummy1, info_table_2 */
   35:   fill_info_table1 = malloc (0x3000);
   36:   /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */
   37: 
   38:   x = malloc (0x1000);
   39:   free (x);
   40:   /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */
   41: 
   42:   /* This is what loses; info_table_2 and freexx get combined unbeknownst
   43:      to mmalloc, and mmalloc puts over_top in a section of memory which
   44:      is on the free list as part of another block (where info_table_2 had
   45:      been).  */
   46:   over_top = malloc (over_top_size);
   47:   over_top_dup = malloc (over_top_dup_size);
   48:   memset (over_top, 0, over_top_size);
   49:   memset (over_top_dup, 1, over_top_dup_size);
   50: 
   51:   for (i = 0; i < over_top_size; ++i)
   52:     if (over_top[i] != 0)
   53:       {
   54:         printf ("FAIL: malloc expands info table\n");
   55:         return 0;
   56:       }
   57: 
   58:   for (i = 0; i < over_top_dup_size; ++i)
   59:     if (over_top_dup[i] != 1)
   60:       {
   61:         printf ("FAIL: malloc expands info table\n");
   62:         return 0;
   63:       }
   64: 
   65:   printf ("PASS: malloc expands info table\n");
   66:   return 0;
   67: }