[uClibc]BUG: malloc

[Robert Daniels]

I found a bug in the new malloc for uClibc(0.9.14).  If a previously
allocated block of memory is freed twice, there is the possibility of
confusion.  The following is sample code that demonstrates one aspect of the
problem which results in a circularly linked free list:

#include <stdio.h>

#define MALLOC_SIZE 120

int main(int argc, char *argv[])
{
	void * p1 = (void *)malloc( MALLOC_SIZE );
	void * p2 = (void *)malloc( MALLOC_SIZE );
	void * p3 = (void *)malloc( MALLOC_SIZE );

	free( p2 );
	free( p1 );
	free( p2 );
	free( p3 );

	return 0;
}

The result is that on the second time freeing p2, you run an infinite loop
in __heap_free() because the first free area gets linked to itself - a nifty
side-effect of having the heap_free_area struct located at the end of the
free area.

The following is a patch that checks for this situation:

*** heap_free.c.old	Fri Aug 16 16:42:15 2002
--- heap_free.c	Fri Aug 16 16:42:48 2002
***************
*** 82,87 ****
--- 82,92 ----
  
  	  goto done;
  	}
+       else if ((mem >= fa_mem) && (mem < HEAP_FREE_AREA_END (fa)))
+ 	{
+ 	  /* MEM falls within FA - already considered freed so do nothing.
*/
+ 	  goto done;
+ 	}
      }
  
    /* Make MEM into a new free-list entry.  */

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.busybox.net/pipermail/uclibc/attachments/20020816/aecc9ee1/attachment-0001.htm