Heap Bug In JamesM's Tutorials

[Creature]

Hello,

I just wanted to say this for other developers using JamesM's tutorials. I'm not sure but, isn't this piece of code:

Code: Select all

if ((u32int)hole_footer < heap->end_address)
       {
           hole_footer->magic = HEAP_MAGIC;
           hole_footer->header = hole_header;
       }

In chapter 7 (7.4.2.2. Allocation) supposed to be this:

Code: Select all

if (((u32int)hole_footer + sizeof(footer_t)) < heap->end_address)
       {
           hole_footer->magic = HEAP_MAGIC;
           hole_footer->header = hole_header;
       }

Because JamesM checks if writing the footer of the hole will go past the ending address of the heap, but if the starting address of the hole footer is just before the ending address, but the structure's size reaches beyond the ending address, a page-fault will/might occur. So I think this is a bug.

Can you give me any feedback on this (I'm not really a guru in heap-related things).

[JamesM]

Probably a valid bug, I'll have another look when I'm not drunk!

[AJ]

Hi,

From what you say it looks valid, but that operator would also need to change from '<' to '<=', because for the last entry, hole_footer + sizeof(footer_t) will equal heap->end_address.

Cheers,
Adam

[Creature]

Hi,

From what you say it looks valid, but that operator would also need to change from '<' to '<=', because for the last entry, hole_footer + sizeof(footer_t) will equal heap->end_address.

Cheers,
Adam

True, otherwise it won't be written if it still ends at the end-address, while it should.