I compiled in C with -O3 and as share library on Linux Fedora x64. I used some mallocs after one. It seems when I work with wmemcpy and other functions in this family the change in one memory makes change in other... I may violate size of memory? Or the problem is in my implementation?
Thanks in advance!
char* ur_free_available(struct memory_pool* pool, uint64_t sz)
{
uint64_t size = sz + sizeof(struct _MyPage);
if(pool->free_pos > 0)
{
if(pool->free_blocks[pool->free_pos - 1].pNext - pool->free_blocks[0].pNext > size)
{
uint64_t i, j;
char *addr;
struct _MyPage mpg;
for(i = 1; i < pool->free_pos; ++i)
{
if(pool->free_blocks[i].pNext - pool->free_blocks[0].pNext > size)
{
mpg.pPrev = NULL;
mpg.pNext = pool->free_blocks[i-1].pNext;
break;
}
}
pool->free_blocks[0].pPrev = NULL;
for(j = i; j < pool->free_pos; ++j)
{
if(j > 0)
pool->free_blocks[j-i].pPrev = pool->free_blocks[j-1].pPrev;
pool->free_blocks[j-i].pNext = pool->free_blocks[j].pNext;
}
pool->free_pos -= i;
pool->free_pos++;
memcpy(addr,(char*)&mpg, sizeof(mpg));
return &addr[0] + sizeof(struct _MyPage);
}
}
return NULL;
}
char* ur_mem_alloc(struct memory_pool* pool, uint64_t sz)
{
char *addr;
struct _MyPage mpg;
uint64_t size = sz + sizeof(mpg);
uint64_t j = 0, c, op;
if(pool->init_pos_is != 7)
{
//bzero(pool, sizeof(pool));
pool->init_pos_is = 7;
pool->free_pos = 0;
pool->hp_position = 0;
pool->st_position = 0;
mpg.pPrev = NULL;
for(c = 0; c < HP_CNT; c++)
pool->_extramem[c] = NULL;
pool->free_blocks[0].pNext = NULL;
//pool->_bytes = malloc(ST_MYPAGE_NO*ST_MYPAGE_SIZE);
//pthread_mutex_lock(&llk1);
_mpool = pool;
//pthread_mutex_unlock(&llk1);
atexit(equit);
}
if((addr = ur_free_available(pool, size)) != NULL)
{
return &addr[0];
}
op = pool->hp_position;
if(size + (ST_MYPAGE_SIZE * pool->st_position) > ST_MYPAGE_NO * ST_MYPAGE_SIZE)
{
uint64_t i;
for(i = 0; i < HP_CNT; ++i)
{
if(size < (pow(8, i)-pool->hp_position)*HP_MYPAGE_SIZE)
{
j = i;
if(pool->_extramem[i] == NULL)
{
pool->hp_position = 0;
pthread_mutex_lock(&llk2);
pool->_extramem[i] = (char*)malloc((uint64_t)pow(8, i) * HP_MYPAGE_SIZE);
pthread_mutex_unlock(&llk2);
}
break;
}
}
addr = &pool->_extramem[j][pool->hp_position*HP_MYPAGE_SIZE];
mpg.pPrev = (struct _MyPage*)&pool->_extramem[j][op*HP_MYPAGE_SIZE];
//printf("j %u %u %u\n", j, (uint64_t)size, (uint64_t)(pow(8, i-1))*HP_MYPAGE_SIZE);
pool->hp_position += floor(size/HP_MYPAGE_SIZE) + 1;
mpg.pNext = (struct _MyPage*)&pool->_extramem[j][pool->hp_position*HP_MYPAGE_SIZE];
memcpy(addr,(char*)&mpg, sizeof(mpg));
return &addr[0] + sizeof(struct _MyPage);
//
}
else
{
if(pool->st_position != 0)
{
mpg.pPrev = (struct _MyPage*)&pool->_extramem[j][(pool->hp_position)];
}
mpg.pNext = NULL;
pool->st_position += floor(size/ST_MYPAGE_SIZE);
addr = &pool->_bytes[(uint64_t)(pool->st_position-floor(size/ST_MYPAGE_SIZE)) * ST_MYPAGE_SIZE];
memcpy(addr,(char*)&mpg, sizeof(mpg));
return &addr[0] + sizeof(struct _MyPage);
}
}
void ur_mem_free(struct memory_pool* pool, char *addr)
{
if(addr == NULL) return;
pool->free_blocks[pool->free_pos].pPrev = pool->free_blocks[pool->free_pos].pNext;
pool->free_blocks[pool->free_pos].pNext = (struct _MyPage*)(addr - sizeof(struct _MyPage));
pool->free_pos++;
}
Breafly looking into function ur_free_available, the variable addr is not initialized, but you memcpy to it corrupting a random memory region. Then you try to return something using the same non-initialized pointer.