From a40968e9b9abcdcc042948ea73346b020279d4b7 Mon Sep 17 00:00:00 2001
From: Iliyan Malchev <malchev@google.com>
Date: Mon, 8 Aug 2011 11:24:41 -0700
Subject: initial commit

Change-Id: I8f7a7eeece0e516efa486b77e9d97805c0e65d3e
Signed-off-by: Iliyan Malchev <malchev@google.com>
---
 tm.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 tm.c

(limited to 'tm.c')

diff --git a/tm.c b/tm.c
new file mode 100644
index 0000000..c29a190
--- /dev/null
+++ b/tm.c
@@ -0,0 +1,54 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+
+static void printf_log(const char *fmt, ...)
+{
+    va_list lst;
+    va_start(lst, fmt);
+    vprintf(fmt, lst);
+    va_end(lst);
+}
+
+/* Override this for non-printf reporting */
+extern void (*malloc_log)(const char *fmt, ...);
+static void ctor(void) __attribute__((constructor));
+static void ctor(void)
+{
+    malloc_log = printf_log;
+}
+
+int main(void)
+{
+	char *ptr[6];
+	char *uaf;
+	char *cf, *cb;
+
+	ptr[0] = malloc(10);
+	ptr[1] = calloc(1,20);
+	ptr[2] = malloc(30);
+	ptr[3] = malloc(40);
+        ptr[4] = malloc(50);
+        ptr[5] = malloc(60);
+
+	free(ptr[1]);
+	free(ptr[1]);
+	free(ptr[2]);
+        ptr[2] = realloc(ptr[2], 300);
+//      free(ptr[2]);
+//      free(ptr[2]);
+
+	uaf = ptr[3];
+	free(uaf);
+	uaf[5] = 'a';
+
+        cf = ptr[4];
+        cf[-1] = 'a'; 
+
+        cb = ptr[5];
+        cb[60] = 'a';
+
+	sleep(10);
+
+	return 0;
+}
-- 
cgit v1.2.3