forked from CyanogenMod/android_hardware_ti_omap4
-
Notifications
You must be signed in to change notification settings - Fork 6
/
tm.c
54 lines (44 loc) · 892 Bytes
/
tm.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
static void printf_log(const char *fmt, ...)
{
va_list lst;
va_start(lst, fmt);
vprintf(fmt, lst);
va_end(lst);
}
/* Override this for non-printf reporting */
extern void (*malloc_log)(const char *fmt, ...);
static void ctor(void) __attribute__((constructor));
static void ctor(void)
{
malloc_log = printf_log;
}
int main(void)
{
char *ptr[6];
char *uaf;
char *cf, *cb;
ptr[0] = malloc(10);
ptr[1] = calloc(1,20);
ptr[2] = malloc(30);
ptr[3] = malloc(40);
ptr[4] = malloc(50);
ptr[5] = malloc(60);
free(ptr[1]);
free(ptr[1]);
free(ptr[2]);
ptr[2] = realloc(ptr[2], 300);
// free(ptr[2]);
// free(ptr[2]);
uaf = ptr[3];
free(uaf);
uaf[5] = 'a';
cf = ptr[4];
cf[-1] = 'a';
cb = ptr[5];
cb[60] = 'a';
sleep(10);
return 0;
}