1c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev#include <stdio.h> 2c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev#include <stdlib.h> 3c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev#include <stdarg.h> 4c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 5c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchevstatic void printf_log(const char *fmt, ...) 6c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev{ 7c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev va_list lst; 8c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev va_start(lst, fmt); 9c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev vprintf(fmt, lst); 10c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev va_end(lst); 11c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev} 12c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 13c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev/* Override this for non-printf reporting */ 14c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchevextern void (*malloc_log)(const char *fmt, ...); 15c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchevstatic void ctor(void) __attribute__((constructor)); 16c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchevstatic void ctor(void) 17c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev{ 18c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev malloc_log = printf_log; 19c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev} 20c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 21c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchevint main(void) 22c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev{ 23c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev char *ptr[6]; 24c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev char *uaf; 25c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev char *cf, *cb; 26c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 27c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev ptr[0] = malloc(10); 28c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev ptr[1] = calloc(1,20); 29c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev ptr[2] = malloc(30); 30c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev ptr[3] = malloc(40); 31c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev ptr[4] = malloc(50); 32c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev ptr[5] = malloc(60); 33c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 34c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev free(ptr[1]); 35c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev free(ptr[1]); 36c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev free(ptr[2]); 37c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev ptr[2] = realloc(ptr[2], 300); 38c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev// free(ptr[2]); 39c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev// free(ptr[2]); 40c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 41c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev uaf = ptr[3]; 42c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev free(uaf); 43c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev uaf[5] = 'a'; 44c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 45c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev cf = ptr[4]; 46c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev cf[-1] = 'a'; 47c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 48c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev cb = ptr[5]; 49c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev cb[60] = 'a'; 50c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 51c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev sleep(10); 52c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev 53c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev return 0; 54c322989ae6ff6769490828de1b5eda12b749cce9Iliyan Malchev} 55