Explore heap uption

Written two days agoProgramHeap resume uption was accidentally triggered, but the problem was discovered.CodeAnd I made some corrections. I didn't have time to explore it in depth. I wrote an essay on my blog. Some of my friends made some comments, which made me quite ashamed, why can't I go into depth for such a question? I can't let it continue to exist in my mind as a vague concept. So I have studied it today, and I have some gains to share it with me.

First, let's explain what is heap uption. When the input exceeds the pre-allocated space size, it will overwrite the storage area after the space, which is called heap upload uption. This is also often used as a means of hacker attacks, because if the storage area after the space is more important data, you can use heap upload uption to modify the data, and the consequences can be imagined.

In VC, when compiling and running a program in release mode, the heap allocation calls malloc. If you want to allocate 10 bytes of space, only 10 bytes of space will be allocated. In the debug mode, the heap allocation calls _ malloc_dbg. If you only need to allocate 10 bytes of space, in addition to the 10 bytes you need, it will allocate about 36 bytes of space to store some note information. After the debug heap is allocated, it will be connected to a chain in order.

Let's take a look at what the note information contains. In the above example, a 32-byte additional information is stored in front of the allocated 10-byte space. The _ crtmemblockheader structure can be found in dbgint. h:

Typedef Struct _ Crtmemblockheader
{
// Pointer to the block allocated just before this one:
Struct _ Crtmemblockheader * pblockheadernext;
// Pointer to the block allocated just after this one:
Struct _ Crtmemblockheader * pblockheaderprev;
Char * Szfilename; // File name
Int Nline;// Line number
Size_t ndatasize; // Size of user Block
Int Nblockuse; // Type of Block
Long Lrequest; // Allocation Number
// Buffer just before (lower than) the user's memory:
Unsigned char Gap [nnomanslandsize];
} _ Crtmemblockheader;

/* In an actual memory block in the debug heap,
* This structure is followed:
* Unsigned char data [ndatasize];
* Unsigned char anothergap [nnomanslandsize];
*/

The two pointers in the _ crtmemblockheader structure do not need to be explained. szfilename is the path and name of the file where the row of code that initiates the allocation operation is stored, while nline is the row number. Ndatasize is the size of request allocation. In our example, it is 10, nblockuse is the type, and lrequest is the request number. The last gap, also known as nomansland, is an area of 4 bytes (nnomanslandsize = 4). You can see the last few lines of comments, the structure is followed by the 10byte data area that the user really needs, and a 4byte gap is followed, which means that the area to be allocated by the user is a header structure, and a 4-byte gap package. This information is checked when the 10 bytes space is released. After the gap is allocated, it is filled with 0xfd. If the value in the gap changes during the check, an error is returned in assert fail mode. However, the prompt in vc6 is hard to understand. Damage: after normal block (# dd) at 0 xhhhhhhhh, and heap resume uption detected will be prompted in vs2005! If you are a release version, this error will lurk until its destructive power works. Maybe the subsequent area stores a divisor, and your heap resume uption changes it to 0. What will happen?
As for whether other C/C ++ compilers have such a mechanism, I am not very clear about it. Maybe some people who know it can add something to me.

http://www.cppblog.com/kerlw/archive/2009/06/10/21700.html