{"id":1000,"date":"2025-12-27T15:32:35","date_gmt":"2025-12-27T07:32:35","guid":{"rendered":"https:\/\/www.52runoob.com\/?p=1000"},"modified":"2025-12-27T15:32:35","modified_gmt":"2025-12-27T07:32:35","slug":"free-invalid-next-size-fast-0x000000xxx","status":"publish","type":"post","link":"https:\/\/www.52runoob.com\/index.php\/2025\/12\/27\/free-invalid-next-size-fast-0x000000xxx\/","title":{"rendered":"free(): invalid next size (fast): 0x000000xxx"},"content":{"rendered":"\n<p>\u8fd9\u662f\u4e00\u4e2a<strong>\u5178\u578b\u7684 Linux \/ glibc \u5185\u5b58\u7ba1\u7406\u9519\u8bef<\/strong>\uff0c\u5c5e\u4e8e <strong>\u5806\uff08heap\uff09\u635f\u574f<\/strong> \u95ee\u9898\uff0c\u548c\u4f60\u524d\u9762\u63d0\u5230\u7684 Burp\u3001\u7834\u89e3\u65e0\u5173\uff0c\u5b83\u662f<strong>\u7a0b\u5e8f\u672c\u8eab\u7684 Bug<\/strong>\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u274c \u9519\u8bef\u542b\u4e49\uff08\u4f60\u770b\u5230\u7684\u8fd9\u884c\u662f\u4ec0\u4e48\u610f\u601d\uff09<\/h2>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nfree(): invalid next size (fast): 0x000000xxx\n\n<\/pre><\/div>\n\n\n<p>\u542b\u4e49\u62c6\u89e3\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>free()<\/strong>\uff1a\u5728\u91ca\u653e\u5806\u5185\u5b58\u65f6\u53d1\u73b0\u5f02\u5e38<\/li>\n\n\n\n<li><strong>invalid next size<\/strong>\uff1a\u5f53\u524d chunk \u7684 <strong>\u4e0b\u4e00\u4e2a\u5185\u5b58\u5757 size \u5b57\u6bb5\u975e\u6cd5<\/strong><\/li>\n\n\n\n<li><strong>(fast)<\/strong>\uff1a\u53d1\u751f\u5728 <strong>fastbin<\/strong>\uff08glibc \u7684\u5c0f\u5757\u5185\u5b58\u7ba1\u7406\u533a\uff09<\/li>\n\n\n\n<li><strong>0x000000xxx<\/strong>\uff1a\u51fa\u95ee\u9898\u7684\u5185\u5b58\u5730\u5740<\/li>\n<\/ul>\n\n\n\n<p>\ud83d\udc49 <strong>\u7ed3\u8bba\uff1a\u5806\u5185\u5b58\u5df2\u7ecf\u88ab\u7834\u574f<\/strong>\uff0c<code>free()<\/code> \u53ea\u662f\u201c\u53d1\u73b0\u8005\u201d\uff0c\u4e0d\u662f\u201c\u5236\u9020\u8005\u201d\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd25 \u6700\u5e38\u89c1 7 \u4e2a\u6839\u56e0\uff0890% \u90fd\u5728\u8fd9\u91cc\uff09<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1\ufe0f\u20e3 <strong>\u6570\u7ec4\/\u7f13\u51b2\u533a\u8d8a\u754c\uff08\u6700\u5e38\u89c1\uff09<\/strong><\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nchar buf&#x5B;16];\nstrcpy(buf, &quot;this string is way too long&quot;); \/\/ \ud83d\udca5\n\n<\/pre><\/div>\n\n\n<p>\u27a1\ufe0f \u8986\u76d6\u4e86\u540e\u4e00\u4e2a chunk \u7684 size \u5b57\u6bb5<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">2\ufe0f\u20e3 <strong>\u5199\u8d8a\u754c \/ \u91ce\u6307\u9488<\/strong><\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nchar *p = malloc(10);\np&#x5B;20] = &#039;A&#039;;   \/\/ \u8d8a\u754c\u5199\n\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">3\ufe0f\u20e3 <strong>double free\uff08\u91cd\u590d\u91ca\u653e\uff09<\/strong><\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nfree(p);\nfree(p);  \/\/ \ud83d\udca5\n\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">4\ufe0f\u20e3 <strong>\u91ca\u653e\u975e malloc \u5f97\u5230\u7684\u6307\u9488<\/strong><\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nint a&#x5B;10];\nfree(a);  \/\/ \ud83d\udca5\n\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">5\ufe0f\u20e3 <strong>malloc \/ free \u4e0d\u5339\u914d<\/strong><\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nchar *p = new char&#x5B;10];\nfree(p);      \/\/ C++ \u6df7\u7528 \ud83d\udca5\n\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">6\ufe0f\u20e3 <strong>use-after-free<\/strong><\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nfree(p);\np&#x5B;0] = &#039;A&#039;;   \/\/ \ud83d\udca5\n\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">7\ufe0f\u20e3 <strong>\u7ed3\u6784\u4f53\u5927\u5c0f\u8ba1\u7b97\u9519\u8bef<\/strong><\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nstruct A { int a; char b&#x5B;8]; };\nstruct A *p = malloc(sizeof(struct A *)); \/\/ \u274c\n\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\uddea \u5982\u4f55\u7cbe\u51c6\u5b9a\u4f4d\uff08\u5b9e\u6218\u7ea7\uff09<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 \u65b9\u6cd5 1\uff1a<strong>AddressSanitizer\uff08\u6700\u5f3a\uff09<\/strong><\/h3>\n\n\n\n<p><strong>\u5f3a\u70c8\u63a8\u8350<\/strong><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ngcc test.c -g -fsanitize=address -o test\n.\/test\n\n<\/pre><\/div>\n\n\n<p>\u8f93\u51fa\u4f1a<strong>\u7cbe\u786e\u6307\u51fa\u54ea\u4e00\u884c\u5199\u574f\u4e86\u5185\u5b58<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 \u65b9\u6cd5 2\uff1a<strong>Valgrind<\/strong><\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nvalgrind --leak-check=full .\/test\n\n<\/pre><\/div>\n\n\n<p>\u53ef\u68c0\u6d4b\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8d8a\u754c<\/li>\n\n\n\n<li>double free<\/li>\n\n\n\n<li>use-after-free<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 \u65b9\u6cd5 3\uff1aglibc \u81ea\u5e26\u68c0\u6d4b<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nexport MALLOC_CHECK_=3\n.\/test\n\n<\/pre><\/div>\n\n\n<p>\u76f4\u63a5 abort \u5e76\u7ed9\u51fa\u63d0\u793a<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 \u65b9\u6cd5 4\uff1aGDB\uff08\u8fdb\u9636\uff09<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ngdb .\/test\nrun\nbt\n\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udee0\ufe0f \u6392\u67e5\u6e05\u5355\uff08\u5feb\u901f\u81ea\u68c0\uff09<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u662f\u5426\u6709 <code>strcpy \/ strcat \/ sprintf<\/code><\/li>\n\n\n\n<li>\u662f\u5426\u6709\u624b\u52a8\u8ba1\u7b97 <code>malloc<\/code> \u5927\u5c0f<\/li>\n\n\n\n<li>\u662f\u5426 free \u8fc7\u4e24\u6b21<\/li>\n\n\n\n<li>free \u540e\u662f\u5426\u7f6e <code>p = NULL<\/code><\/li>\n\n\n\n<li>C\/C++ \u662f\u5426\u6df7\u7528 new\/free<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udccc \u5173\u952e\u8ba4\u77e5\uff08\u975e\u5e38\u91cd\u8981\uff09<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u2757 <strong>\u62a5\u9519\u4f4d\u7f6e \u2260 \u51fa\u9519\u4f4d\u7f6e<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p>\u771f\u6b63\u7684 bug \u5f80\u5f80\u5728 <strong>\u66f4\u65e9\u7684\u5199\u64cd\u4f5c<\/strong>\uff0c\u53ea\u662f\u5230 <code>free()<\/code> \u624d\u88ab\u53d1\u73b0\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8fd9\u662f\u4e00\u4e2a\u5178\u578b\u7684 Linux \/ glibc \u5185\u5b58\u7ba1\u7406\u9519\u8bef\uff0c\u5c5e\u4e8e \u5806\uff08heap\uff09\u635f&#8230; <a class=\"more-link\" href=\"https:\/\/www.52runoob.com\/index.php\/2025\/12\/27\/free-invalid-next-size-fast-0x000000xxx\/\">Continue Reading &rarr;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1000","post","type-post","status-publish","format-standard","hentry","category-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/posts\/1000","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/comments?post=1000"}],"version-history":[{"count":1,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/posts\/1000\/revisions"}],"predecessor-version":[{"id":1001,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/posts\/1000\/revisions\/1001"}],"wp:attachment":[{"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/media?parent=1000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/categories?post=1000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/tags?post=1000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}