Next step: detect double-frees and use-after-free
dank at kegel.com
Sat Nov 21 22:20:13 CST 2009
Now that the heap tail check is more or less working,
I'm on to implementing protection against double frees
and use-after-free for recently freed blocks. The idea
is that HEAP_MakeInUseBlockFree() will take
the block it's called with, push it onto a FIFO,
pull an old block off the FIFO, and mark that old
block free. The blocks languishing in the FIFO
will be marked inaccessible. If you try to free one,
realloc one, or even get its size, you'll get an immediate error;
if you write to one, you'll get an error when it comes
out of the FIFO or when the heap is validated;
and if you're running Valgrind, you'll get an immediate
error on read or write to the freed block.
The FIFO will be drained when the heap is destroyed.
It will be implemented using a standard wine list
in an optional fixed-sized block at the tail of each allocation.
Remind me again why we didn't do this years ago...
More information about the wine-devel