Link to this headingDouble Free
Link to this headingFastbin Duplication Example
By using a double free you can return the same pointer twice. This allows modification of the data to one object that will effect the other.
Example:
a = ; // 0xa04010
b = ; // 0xa04030
c = ; // 0xa04050
;
// head -> a -> tail
; // There is a check to make sure that a freed pointer is not freed immediately again. This is mitigated by freeing a different chunk.
// head -> b -> a -> tail
; // Double Free !!
// head -> a -> b -> a -> tail
d = ; // 0xa04010
// head -> b -> a -> tail [ 'a' is returned ]
e = ; // 0xa04030
// head -> a -> tail [ 'b' is returned ]
f = ; // 0xa04010 - Same as 'd' !
// head -> tail [ 'a' is returned ]
Link to this headingFastBin Duplication Consolidation
By freeing a small fastbin block and then mallocing a huge chunk the fastbin chunk is moved to the unsorted bin.
This allows the same chunk to be freed again since the chunk is in two places on the stack