ReceiveTempSMS/Sweden-Number
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ntdll: Verify the tail contents when validating an in-use block with tail checking enabled.

Browse Source
This commit is contained in:
Alexandre Julliard 2010-01-26 14:34:31 +01:00
parent a192695099
commit c0abf594f8
1 changed files with 34 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
dlls/ntdll/heap.c
View File

@ -428,9 +428,12 @@ static HEAP *HEAP_GetPtr(
return NULL; return NULL;
} }
if ((heapPtr->flags & HEAP_VALIDATE_ALL) && !HEAP_IsRealArena( heapPtr, 0, NULL, NOISY )) if ((heapPtr->flags & HEAP_VALIDATE_ALL) && !HEAP_IsRealArena( heapPtr, 0, NULL, NOISY ))
{
if (TRACE_ON(heap))
{ {
HEAP_Dump( heapPtr ); HEAP_Dump( heapPtr );
assert( FALSE ); assert( FALSE );
}
return NULL; return NULL;
} }
return heapPtr; return heapPtr;
@ -1094,6 +1097,8 @@ static BOOL HEAP_ValidateFreeArena( SUBHEAP *subheap, ARENA_FREE *pArena )
*/ */
static BOOL HEAP_ValidateInUseArena( const SUBHEAP *subheap, const ARENA_INUSE *pArena, BOOL quiet ) static BOOL HEAP_ValidateInUseArena( const SUBHEAP *subheap, const ARENA_INUSE *pArena, BOOL quiet )
{ {
SIZE_T size;
DWORD i, flags = subheap->heap->flags;
const char *heapEnd = (const char *)subheap->base + subheap->size; const char *heapEnd = (const char *)subheap->base + subheap->size;
/* Check for unaligned pointers */ /* Check for unaligned pointers */
@ -1136,18 +1141,19 @@ static BOOL HEAP_ValidateInUseArena( const SUBHEAP *subheap, const ARENA_INUSE *
return FALSE; return FALSE;
} }
/* Check arena size */ /* Check arena size */
if ((const char *)(pArena + 1) + (pArena->size & ARENA_SIZE_MASK) > heapEnd) size = pArena->size & ARENA_SIZE_MASK;
if ((const char *)(pArena + 1) + size > heapEnd ||
(const char *)(pArena + 1) + size < (const char *)(pArena + 1))
{ {
ERR("Heap %p: bad size %08x for in-use arena %p\n", ERR("Heap %p: bad size %08lx for in-use arena %p\n", subheap->heap, size, pArena );
subheap->heap, pArena->size & ARENA_SIZE_MASK, pArena );
return FALSE; return FALSE;
} }
/* Check next arena PREV_FREE flag */ /* Check next arena PREV_FREE flag */
if (((const char *)(pArena + 1) + (pArena->size & ARENA_SIZE_MASK) < heapEnd) && if (((const char *)(pArena + 1) + size < heapEnd) &&
(*(const DWORD *)((const char *)(pArena + 1) + (pArena->size & ARENA_SIZE_MASK)) & ARENA_FLAG_PREV_FREE)) (*(const DWORD *)((const char *)(pArena + 1) + size) & ARENA_FLAG_PREV_FREE))
{ {
ERR("Heap %p: in-use arena %p next block has PREV_FREE flag\n", ERR("Heap %p: in-use arena %p next block %p has PREV_FREE flag %x\n",
subheap->heap, pArena ); subheap->heap, pArena, (const char *)(pArena + 1) + size,*(const DWORD *)((const char *)(pArena + 1) + size) );
return FALSE; return FALSE;
} }
/* Check prev free arena */ /* Check prev free arena */
@ -1177,6 +1183,25 @@ static BOOL HEAP_ValidateInUseArena( const SUBHEAP *subheap, const ARENA_INUSE *
return FALSE; return FALSE;
} }
} }
/* Check unused size */
if (pArena->unused_bytes > size)
{
ERR("Heap %p: invalid unused size %08x/%08lx\n", subheap->heap, pArena->unused_bytes, size );
return FALSE;
}
/* Check unused bytes */
if (flags & HEAP_TAIL_CHECKING_ENABLED)
{
const unsigned char *data = (const unsigned char *)(pArena + 1) + size - pArena->unused_bytes;
for (i = 0; i < pArena->unused_bytes; i++)
{
if (data[i] == ARENA_TAIL_FILLER) continue;
ERR("Heap %p: block %p tail overwritten at %p (byte %u/%u == 0x%02x)\n",
subheap->heap, pArena + 1, data + i, i, pArena->unused_bytes, data[i] );
return FALSE;
}
}
return TRUE; return TRUE;
} }