Introduction
In the Heap Exploitation on House of Orange, we introduce an implicit free in the allocation procedure. In this post, I hope to record the implicit malloc/free met in the function of glibc. As a start, I will introduce the implicit malloc/free in printf function. In future, I may update other functions that I come across in CTF challenges.
The version of glibc used for testing may be different on different functions. The version of glibc will be given in each part.
(*)vfprintf
Function printf
Source Code Review
Implicit Malloc in vfprintf
if (width >= WORK_BUFFER_SIZE - 32) { /* We have to use a special buffer. The "32" is just a safe bet for all the output which is not counted in the width. */ size_t needed = ((size_t) width + 32) * sizeof (CHAR_T); if (__libc_use_alloca (needed)) workend = (CHAR_T *) alloca (needed) + width + 32; else { workstart = (CHAR_T *) malloc (needed); if (workstart == NULL) { done = -1; goto all_done; } workend = workstart + width + 32; } }
Implicit Free in vfprintf
all_done: if (__glibc_unlikely (workstart != NULL)) free (workstart); /* Unlock the stream. */ _IO_funlockfile (s); _IO_cleanup_region_end (0);
Reference
[1] http://blog.dragonsector.pl/2017/03/0ctf-2017-easiestprintf-pwn-150.html