- Joined
- Mar 31, 2012
- Messages
- 2,298
- Reaction score
- 4
- Points
- 0
Doesn't mixing control and data blocks actually make it more likely that heap corruption will be noisy, rather than silent? If you write over a data item with zeroes, it can screw up the state and output of your program without the runtime library or OS ever being aware of it. If you clobber a heap control block, it's fairly likely that the allocator will choke on inconsistent state the next time it walls through the free list, scream about memory corruption on stderr, and kill the program before any more calculations are done on bad data.
It's silent because it will choke not when the overflow happens but on next malloc() / free() which may be in a completely unrelated part of the program. Also there are scenarios that free() may never be called because the program finishes.
Also by carefully crafting your data you can trick the allocator to overwrite arbitrary memory locations... such as the return address causing the cpu to jump into the code you have loaded into the buffer.
http://www.mathyvanhoef.com/2013/02/understanding-heap-exploiting-heap.html