Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

reason for double free or corruption

Tags:

c

#include<stdio.h>
#include<stdlib.h>

    main() {
        int *ptr, *tmp;
        ptr = (int *)malloc(sizeof(int) * 60);
        tmp = ptr;
        printf("tmp  %u ptr %u\n", tmp, ptr);
        int i =0;
        for (i = 0; i < 76; i ++)
        {
            *ptr = i;
            ptr++;
        }

    printf("tmp  %u ptr %u\n", tmp, ptr);
    free (tmp);
    }

this program crahes when we run it 





{124}: ./a.out 
tmp  23134224 ptr 23134224
tmp  23134224 ptr 23134528
*** glibc detected *** ./a.out: double free or corruption (!prev): 0x0000000001610010 ***
======= Backtrace: =========
/lib64/libc.so.6[0x333ce750c6]
./a.out[0x4005e0]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x333ce1ecdd]
./a.out[0x400499]
======= Memory map: ========
00400000-00401000 r-xp 00000000 00:2b 26388454                           /users/home40/rnadakud/cpract/a.out
00600000-00601000 rw-p 00000000 00:2b 26388454                           /users/home40/rnadakud/cpract/a.out
01610000-01631000 rw-p 00000000 00:00 0                                  [heap]
333c600000-333c620000 r-xp 00000000 fd:00 1253867                        /lib64/ld-2.12.so
333c81f000-333c820000 r--p 0001f000 fd:00 1253867                        /lib64/ld-2.12.so
333c820000-333c821000 rw-p 00020000 fd:00 1253867                        /lib64/ld-2.12.so
333c821000-333c822000 rw-p 00000000 00:00 0 
333ce00000-333cf97000 r-xp 00000000 fd:00 1253879                        /lib64/libc-2.12.so
333cf97000-333d197000 ---p 00197000 fd:00 1253879                        /lib64/libc-2.12.so
333d197000-333d19b000 r--p 00197000 fd:00 1253879                        /lib64/libc-2.12.so
333d19b000-333d19c000 rw-p 0019b000 fd:00 1253879                        /lib64/libc-2.12.so
333d19c000-333d1a1000 rw-p 00000000 00:00 0 
333ee00000-333ee16000 r-xp 00000000 fd:00 1253886                        /lib64/libgcc_s-4.4.6-20110824.so.1
333ee16000-333f015000 ---p 00016000 fd:00 1253886                        /lib64/libgcc_s-4.4.6-20110824.so.1
333f015000-333f016000 rw-p 00015000 fd:00 1253886                        /lib64/libgcc_s-4.4.6-20110824.so.1
7f085a471000-7f085a474000 rw-p 00000000 00:00 0 
7f085a492000-7f085a495000 rw-p 00000000 00:00 0 
7ffffddb2000-7ffffddc7000 rw-p 00000000 00:00 0                          [stack]
7ffffddff000-7ffffde00000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Abort (core dumped)

I am aware that i am overwrting the array but here observation is crash happens at when i free(tmp) now even though i am over writing ptr , but when i free(ptr) is should only free first 60 bytes

So can please help me to understand this error.

like image 253
user1068833 Avatar asked Dec 11 '22 06:12

user1068833


2 Answers

Overwriting invokes undefined behavior.

In your case, you trash the heap's data structures, causing free() to do something which crashes. This is why it's called "undefined behavior", since you can't know when, how, or if there will be any observable "proof" that you did something wrong. Or it can come later when the program does something seemingly unrelated.

Also, please don't cast the return value of malloc() in C.

like image 51
unwind Avatar answered Dec 27 '22 03:12

unwind


You are writing beyond the end of the block of memory that you allocated and the behaviour is undefined.

I am aware that I am overwrting the array but here observation is crash happens at when I free(tmp) now even though I am over writing ptr, but when I free(ptr) it should only free first 60 bytes.

Heap allocated memory typically works by storing meta data about the block of memory alongside the block of memory. This is needed so that the heap manager knows how to free the block of memory. After all, when you pass a pointer to free, the heap manager does need some way to work out how to deallocate the memory.

What is happening here is that you are corrupting that meta data and that is detected when the call to free is made. It looks very much like you are using the debug heap manager which in your runtime implements debugging code to detect such heap corruptions.

like image 33
David Heffernan Avatar answered Dec 27 '22 01:12

David Heffernan