dllcrt0.c corrupts heap | Microsoft Connect

dllcrt0.c corrupts heap by Orin Eman(laplink)

Closed

Type:	Bug
ID:	773459
Opened:	12/4/2012 2:29:29 PM
Access Restriction:	Public

Workaround(s)

view

User(s) can reproduce this bug

All memory allocated by the C runtime in a dll is freed too early by __freeCrtMemory().

_ioterm() and _mtterm() which are called after __freeCrtMemory() both access and/or free memory that was allocated by the C runtime. See below:

                    /* Free allocated CRT memory */
                    __freeCrtMemory();

#ifndef _DEBUG
                    /* If dwReason is DLL_PROCESS_DETACH, lpreserved is NULL
                     * if FreeLibrary has been called or the DLL load failed
                     * and non-NULL if the process is terminating.
                     */
                    if ( lpreserved == NULL )
                    {
#endif /* _DEBUG */
                        /*
                         * The process is NOT terminating so we must clean up...
                         */
                        /* Shut down lowio */
                        _ioterm();
                        _mtterm();

                        /* This should be the last thing the C run-time does */
                        _heap_term(); /* heap is now invalid! */
#ifndef _DEBUG
                    }
#endif /* _DEBUG */

The fix is simple. __freeCrtMemory() should be after _mtterm().

Details (expand)

Visual Studio 2012

Create a dll and turn on all heap debugging flags in DllMain:

    if (dwReason == DLL_PROCESS_ATTACH)
    {
#ifdef _DEBUG
        _CrtSetDbgFlag ( _CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_CRT_DF );
#endif
    }

Elsewhere in the dll, redirect IO to a console:

    AllocConsole();
    freopen("CONOUT$", "a", stdout);

Load and free the dll from an exe.

English

Any

English

Debug assertion with the following output:

HEAP CORRUPTION DETECTED: on top of Free block at 0x005628B0.
CRT detected that the application wrote to a heap buffer that was freed.

Memory allocated at f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c(600).
DAMAGED located at 0x005628B0 is 544 bytes long.

Memory allocated at f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c(600).
Debug Assertion Failed!

Program: C:\Projects\Laplink\RDP\ActiveX\Debug\LaplinkRdp.dll
File: f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
Line: 1288

Expression: _CrtCheckMemory()

Call stack:

>    Foo.dll!_free_dbg_nolock(void * pUserData, int nBlockUse) Line 1288    C++
    Foo.dll!_free_dbg(void * pUserData, int nBlockUse) Line 1265    C++
    Foo.dll!_freefls(void * data) Line 431    C
    ntdll.dll!_RtlFlsFree@4\u001e()    Unknown
    KernelBase.dll!_FlsFree@4\u001e()    Unknown
    Foo.dll!__crtFlsFree(unsigned long dwFlsIndex) Line 364    C
    Foo.dll!_mtterm() Line 168    C
    Foo.dll!_CRT_INIT(void * hDllHandle, unsigned long dwReason, void * lpreserved) Line 181    C
    Foo.dll!__DllMainCRTStartup(void * hDllHandle, unsigned long dwReason, void * lpreserved) Line 384    C
    Foo.dll!_DllMainCRTStartup(void * hDllHandle, unsigned long dwReason, void * lpreserved) Line 325    C

Dll is unloaded without error.

0 attachments

Posted by Microsoft on 2/17/2013 at 11:29 PM

Hello,

Thank you for reporting this issue! We have fixed this bug and the fix will be available in the next release of our Visual C++ libraries.

Note: Connect doesn't notify me about comments. If you have any further questions, please feel free to e-mail me.

James McNellis
Visual C++ Libraries
james.mcnellis@microsoft.com

Posted by Microsoft on 12/4/2012 at 7:40 PM

Thanks for your feedback.

We are rerouting this issue to the appropriate group within the Visual Studio Product Team for triage and resolution. These specialized experts will follow-up with your issue.

Posted by Microsoft on 12/4/2012 at 2:51 PM

Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)