X-Authentication-Warning: delorie.com: mail set sender to djgpp-bounces using -f X-Recipient: djgpp AT delorie DOT com X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=yI3SwO6rT3Wm97l8K+wYh70FYj1du9JGkZ4YytITqwU=; b=Fx2PvkzOCfXQqgIoKBzQnkTvNCDJZQIAy2l1fzfxTXgCeakbo8ZuFwe4ur6EIRn8Ub jPHZr7dim6MKkdYu36e859p/eSJB05ktnNev3zKg60C7ZIPIVo83BFd6fIb8F7oO3wB/ HwCDtNL65OURUqVvVZKbBgwDPa9ZYZ7TRq2ZZYPTvdLBdQywne6aJ84jO2pmPE02q+L1 UB5+FOFz6oO4a8PE63JUYlBYqSFPrN6zHRbs70vGYWq/X6g0qh/qGxlpev30qM2M6cyP iLTJnGeJDitGg+Id34Rl3yp9H2TuSLkHl8ZjUKw5vlNTFkJQY6kjGxlDN62+IhA5PLrk 1Wtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=yI3SwO6rT3Wm97l8K+wYh70FYj1du9JGkZ4YytITqwU=; b=iBGDwSjl/U3ckZvAVQTG7vjltjJhyz4lJmpVqP9q6Tg/KET+N3/iT/+Q0H/LWsncKh 03HFiqXMaJJAVx6VP4UYRKHlmm16YFaLmYiXdlW+UQEYjJWU09POj50DH4WDE6OqqxPR OENMQfjauRUR25eqOaypdtzHvWWUIKsEmkCzpFVBAXNHTPJ67r0Z6cCMVk/Il+5R2VR8 t9bx5xg8QYA+u4RytzCbV27Ja0TUnvEQtWb2zfdTSkoTjPAnpbc7QIx8PWCpTwOADDuv pH9h3vLP8PHu1seJMYE55vs45PgEzOMQ9kKVii152QF1BCrJe5UlnnPgUQ5fzpPp8HFv RaqQ== X-Gm-Message-State: APjAAAU+Rur4zFNoT2qsfpmX1ga/5vAFOtFoQZSe76jgtNpSnC3nQDfz bpKCrc56+29s+dONDcl/2dUYEYa7 X-Google-Smtp-Source: APXvYqwooyWWSvp+gAMOO7einoLggs1yy1xJWnvKzD6VwxRgcoZYkZk8TO7lXj8o8tuxXHlzuw/oiw== X-Received: by 2002:a0c:bd9a:: with SMTP id n26mr19577071qvg.25.1560749314168; Sun, 16 Jun 2019 22:28:34 -0700 (PDT) Subject: Re: malloc() returns pointer to already allocated memory To: djgpp AT delorie DOT com References: <158e5d20-0a90-4beb-de48-da328379d8fb AT gmail DOT com> From: "Frank Sapone (emoaddict15 AT gmail DOT com) [via djgpp AT delorie DOT com]" Message-ID: Date: Mon, 17 Jun 2019 01:28:32 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Reply-To: djgpp AT delorie DOT com Errors-To: nobody AT delorie DOT com X-Mailing-List: djgpp AT delorie DOT com X-Unsubscribes-To: listserv AT delorie DOT com Precedence: bulk On 6/17/2019 1:05 AM, Rod Pemberton wrote: > On Mon, 17 Jun 2019 02:27:18 +0200 > "J.W. Jagersma (jwjagersma AT gmail DOT com) [via djgpp AT delorie DOT com]" > wrote: > >> I ran into this issue with malloc(). It seems that, given enough >> allocations, malloc() will eventually return a pointer into already >> allocated memory. >> >> The attached program is able to reproduce this rather consistently, >> but only under cwsdpmi. It also only happens if the memory has >> previously been written to (suggesting a paging issue?). However the >> code that first led me to investigate this also exhibits the same >> problem under hdpmi. As such, I'm still not entirely convinced that >> this initial issue wasn't caused by my own code. I also find it hard >> to believe that no one else noticed this rather obvious problem >> before me. Still, the attached program demonstrates this clobbering >> issue, and I think this would warrant further investigation. >> >> Any insight is much appreciated. >> > First problem is trivial. The code doesn't compile with older DJGPP > v1.3. The declaration of 'i' within the for() loop errors, but other > C99 declarations only warn. > > Second problem is you don't call memset() prior to using memory, nor > free() after you're done using it. Of course, calling memset() would > prevent your method of "clobber" detection from working. But, not > calling memset() means you don't know if the magic clobber value is: > a) from you setting it within your program, or > b) from some random garbage values in memory. > > Third problem is you apparently didn't test the program without the > "p[i] = magic;" line. If you had, you would've noticed that your > program clobbers even without setting memory to magic values. In > other words, memory is filled with random values, since it wasn't > cleared by memset(). Also, some of those random values happen to > match your program's random magic value used to detect clobbered memory. > > Fourth problem is that you can't actually confirm if memory is being > clobbered from within a C program for two reasons: inability to > distinguish a magic value from an identical random value in memory > which hasn't been cleared, and the inability in C to allocate, clear, > and free memory, prior to the re-use of the exact same memory for a > clobber test. To test this issue properly requires a modified version > of the memory allocator, i.e., CWSDPMI in this case. > > Finally, you didn't report which version of DJGPP, or CWSDPMI, and > whether or not your code is operating in a Windows 98/SE/ME/XP etc > console. When operating in a Windows console, CWSDPMI is not being > used. The Windows DPMI host is being used. > > > Rod Pemberton Hi Rod, Good points.  I was thinking some of the same things when I read this post earlier, but I am not as much of a C guru as others here.  My initial thoughts were that memset was not being called and that it was a random integer for the magic value that there is a possibility of grabbing the same value. Frank