Search

Debug CRT writes to a freed block when _CrtSetDbgFlag(_CRTDBG_LEAK_CHECK_DF) is used by Vladimir2013

Closed
as Duplicate Help for as Duplicate

1
0
Sign in
 to vote
Type: Bug
ID: 780768
Opened: 3/6/2013 2:06:50 AM
Access Restriction: Public
0
Workaround(s)
0
User(s) can reproduce this bug
When DLL with statically linked debug CRT, which called _CrtSetDbgFlag(_CRTDBG_LEAK_CHECK_DF ) exits, CRT code will write to a freed heap block. This will be caught by the page heap or some other heap debugger and potentially can lead to a memory corruption.

The problem is that __freeCrtMemory() from crt0dat.c will be called twice (stack traces attached) and it will 2 times decrese the reference for __ptmbcinfo (line 495):

if (InterlockedDecrement(&(__ptmbcinfo->refcount)) == 0 && __ptmbcinfo != &__initialmbcinfo)
    {
        _free_crt(__ptmbcinfo);
        __ptmbcinfo = &__initialmbcinfo;
    }

This structure was allocated at mbctype.cpp:600 and it has recount 2 since it is also stored in _getptd() data.
Details (expand)

Visual Studio/Team Foundation Server/.NET Framework Tooling Version

Visual Studio 2012

Steps to reproduce

- The sample solution is attached (it consists of a DLL project and a console application which loads it). The DLL calls _CrtSetDbgFlag() and it is statically linked with CRT.

- Build the project in the 32-bit debug mode.

- Activate the page heap for the generated EXE file:
gflags.exe -p /enable CRTHeap.exe.

- Run the program in the debugger from visual studio (disable all breakpoints).

- Page heap verification will break and display message:
VERIFIER STOP 0000000E: pid xxxxx: corrupted infix pattern for freed block

corruption address will be the same as the address allocated in mbctype.cpp:600





Product Language

English

Operating System

Windows 7

Operating System Language

English

Actual results

Freed heap block is corrupted by the CRT shutdown.

Expected results

CRT should not write to the freed heap block.
File Attachments
File Name Submitted By Submitted On File Size  
CRTHeap.zip (restricted) Vladimir2013 3/6/2013 -
stacktrace.txt (restricted) Vladimir2013 3/6/2013 -
Sign in to post a comment.
Posted by Microsoft on 3/11/2013 at 4:01 PM
Hello,

Thank you for reporting this bug. This issue was first reported to us a few months ago (see http://connect.microsoft.com/VisualStudio/feedback/details/773459/dllcrt0-c-corrupts-heap). We have fixed this bug and the fix will be available in the next release of our Visual C++ libraries.

Note: Connect doesn't notify me about comments. If you have any further questions, please feel free to e-mail me.

James McNellis
Visual C++ Libraries
james.mcnellis@microsoft.com

Posted by Microsoft on 3/6/2013 at 9:32 PM
Thanks for your feedback.

We are rerouting this issue to the appropriate group within the Visual Studio Product Team for triage and resolution. These specialized experts will follow-up with your issue.
Posted by Microsoft on 3/6/2013 at 2:49 AM
Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)
Sign in to post a workaround.
© 2013 Microsoft Corporation. All rights reserved. Microsoft Connect Terms of Use | Trademarks | Privacy Statement