Re: lynx-dev memory leaks vs corruption

[mattack]

On Fri, 4 Dec 1998, Philip Webb wrote:
>981204 gil wrote: 
>> I would also count as "memory corruption"
>> the result of freeing the same pointer value more than once.
> 
>how does that corrupt memory?
>surely, if it's been freed, it's not there to be freed again.

It doesn't necessarily corrupt memory, but it *could* easily corrupt memory.

If the free() call doesn't check whether the pointer passed to it is a valid
pointer, it could write over some of its own internal bookkeeping data 
structures or something like that.

Yes, that would be a bug in free or whatever is being used, but 
you don't have the source to the code you're being a client of, so it can
also be considered your bug, since you are using the API incorrectly.

Looking at the man page for free, the third paragraph in the description is:

    Undefined results will occur if the space assigned  by  mal-
     loc()  is  overrun  or  if  some  random number is handed to
     free().

Seems to me that an already freed pointer counts as a "random number".
(Except in a debug build of free, which likely keeps a list of previously-
freed blocks to help find bugs like this.)

But, according to how I interpret that paragraph, it's a client bug to 
free a pointer twice, and free() is not attempting to catch that sort of 
bug, which will likely corrupt memory.