blob: f9f6b1594ef41950a5f7b9a9d104fa70e58cbdf6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
#include <malloc/malloc.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Produce some names on the trace
const size_t tag_granule = 16;
static uint8_t *my_malloc(void) { return malloc(2 * tag_granule); }
static uint8_t *allocate(void) { return my_malloc(); }
static void my_free(void *ptr) { free(ptr); }
static void deallocate(void *ptr) { my_free(ptr); }
static void touch_memory(uint8_t *ptr) { ptr[7] = 1; } // invalid access
static void modify(uint8_t *ptr) { touch_memory(ptr); }
int main() {
uint8_t *ptr = allocate();
strncpy((char *)ptr, "Hello", 16);
strncpy((char *)ptr + 16, "World", 16);
deallocate(ptr); // before free
modify(ptr); // use-after-free
return 0;
}
|
