DLL crash inside removethreadtableentry - where's the source code for that?
Ben Davis
entheh at cantab.net
Sat Feb 16 19:14:37 PST 2013
Correction to my hideous analysis inside free :P
On 17/02/2013 03:07, Ben Davis wrote:
> RTLMultiPool::SelectFree:
> 05C0AC34 push ecx
> //This reads 0x05c29b97 into eax
> 05C0AC35 mov eax,dword ptr [esp+8]
> //This reads an address from where eax points, and edx is 0
> 05C0AC39 mov edx,dword ptr [eax]
> 05C0AC3B push ebx
> 05C0AC3C push esi
> //Looking at ecx+4 revealed the value 0x00000080 (128)
> 05C0AC3D cmp edx,dword ptr [ecx+4]
> 05C0AC40 ja RTLMultiPool::SelectFree+21h (5C0AC55h)
> //So we get here
> 05C0AC42 lea ebx,[edx-1] //ebx = 0xffffffff
> 05C0AC45 shr ebx,3 //ebx = 0x1fffffff
> 05C0AC48 push eax
> 05C0AC49 mov esi,dword ptr [ecx] //esi = 0x0516000c
> 05C0AC4B mov ecx,dword ptr [esi+ebx*4] //crash!
>
> I suppose esi + 0x1fffffff*4 is basically esi-4. But then we get:
No, I got confused here - the shift right is equivalent to division by
8, not by 4. So the address [esi + 0x1fffffff*4] is very likely to be
very wrong. This implies that edx being 0 is bad. I'd inclined to guess
at maybe a double freeing, or maybe freeing an address that isn't even a
heap address. It's also very interesting that the address we're trying
to free is completely unaligned (an odd number).
More information about the Digitalmars-d
mailing list