From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: Date: Thu, 17 Feb 2005 13:43:22 -0500 From: Russ Cox To: 9fans <9fans@cse.psu.edu> In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <0345be3b46120cbf06bdff45601d5540@plan9.ucalgary.ca> Subject: [9fans] tip o' the day Topicbox-Message-UUID: 4a4d7292-eace-11e9-9e20-41e7f4b1d025 Here's a long one. ---------- Forwarded message ---------- From: Russ Cox Date: Thu, 17 Feb 2005 13:41:56 -0500 Subject: Re: png To: andrey mirtchovski Cc: anyrhine@cs.helsinki.fi > mem user overflow > pool sbrkmem block 115348 > hdr 0a110c09 00000020 00002d1e 00000000 00000000 faf0f100 > tail 0a110c09 00000020 00002d1e 00000000 00000000 faf0f100 | ef1400be > 00000020 > user data 00 00 00 00 00 00 00 00 | 00 f1 f0 fa be 00 14 ef > panic: pool panic > 8.png 336871: suicide: sys: trap: fault read addr=0x0 pc=0x00006cd5 This says that the block at address 0x115348 has overflowed the amount written to it. In the "user data" print, the | marks the place where the user data should end. The next magic bytes are "fe f1 f0 fa" (fee fi fo fum), but a 00 has overwritten the fe. The size of the block is the second word of the header minus the 16-bit word contained between ef and be in the tail, so 0x20-0x14 = 12 in this case. That includes the 2 words of tags, so there's really only 4 bytes. So you called malloc(4) and then wrote 5 bytes to it. The header is two words. The next two are the malloc tags and then after that comes the real data. The malloc tags are by default the pc that last allocated and reallocated the block, so you allocated from 0x2d1e. Run src -s 0x2d1e /bin/png and you'll have the line that allocated. If that's a wrapper (e.g., pngmalloc) you can change the wrapper to do v = malloc(n); setmalloctag(v, getcallerpc(&n)); so that the tag will have the caller of pngmalloc instead of pngmalloc itself. Russ