From: Jinoh Kang jinoh.kang.kr@gmail.com
Today, the heap does not catch double free when HEAP_VALIDATE is enabled, since validate_used_block() accepts BLOCK_TYPE_DEAD as a valid block type.
Fix this by adding a explicit check that rejects BLOCK_TYPE_DEAD in heap_validate_ptr. --- dlls/ntdll/heap.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/dlls/ntdll/heap.c b/dlls/ntdll/heap.c index aafbbd0f523..9f786dab6f0 100644 --- a/dlls/ntdll/heap.c +++ b/dlls/ntdll/heap.c @@ -1138,7 +1138,18 @@ static BOOL heap_validate_ptr( const struct heap *heap, const void *ptr ) return validate_large_block( heap, block ); }
- return validate_used_block( heap, subheap, block ); + if (!validate_used_block( heap, subheap, block )) return FALSE; + + /* validate_used_block() has checked the alignment; the block is now safe(r) to dereference. + * Check if this an actually used block (instead of delayed freed block) + */ + if (block_get_type( block ) != BLOCK_TYPE_USED) + { + ERR("heap %p, block %p: invalid block type %#x\n", heap, block, block_get_type( block )); + return FALSE; + } + + return TRUE; }
static BOOL heap_validate( const struct heap *heap )