From 57d5ab769be05b8d85e9a36d98b9fb2c451c9de5 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Mon, 8 Oct 2018 17:41:06 -0400
Subject: [PATCH] add write-after-free tests with potential reuse

---
 test/simple-memory-corruption/Makefile        |  2 ++
 .../write_after_free_large_reuse.c            | 14 +++++++++++++
 .../write_after_free_small_reuse.c            | 20 +++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 test/simple-memory-corruption/write_after_free_large_reuse.c
 create mode 100644 test/simple-memory-corruption/write_after_free_small_reuse.c

diff --git a/test/simple-memory-corruption/Makefile b/test/simple-memory-corruption/Makefile
index 98b0564..734ab63 100644
--- a/test/simple-memory-corruption/Makefile
+++ b/test/simple-memory-corruption/Makefile
@@ -8,7 +8,9 @@ EXECUTABLES := \
     read_after_free_large \
     read_after_free_small \
     write_after_free_large \
+    write_after_free_large_reuse \
     write_after_free_small \
+    write_after_free_small_reuse \
     read_zero_size \
     write_zero_size \
     invalid_free_protected \
diff --git a/test/simple-memory-corruption/write_after_free_large_reuse.c b/test/simple-memory-corruption/write_after_free_large_reuse.c
new file mode 100644
index 0000000..c32e77b
--- /dev/null
+++ b/test/simple-memory-corruption/write_after_free_large_reuse.c
@@ -0,0 +1,14 @@
+#include <stdlib.h>
+#include <string.h>
+
+__attribute__((optimize(0)))
+int main(void) {
+    char *p = malloc(128 * 1024);
+    if (!p) {
+        return 1;
+    }
+    free(p);
+    char *q = malloc(128 * 1024);
+    p[64 * 1024 + 1] = 'a';
+    return 0;
+}
diff --git a/test/simple-memory-corruption/write_after_free_small_reuse.c b/test/simple-memory-corruption/write_after_free_small_reuse.c
new file mode 100644
index 0000000..ca6564e
--- /dev/null
+++ b/test/simple-memory-corruption/write_after_free_small_reuse.c
@@ -0,0 +1,20 @@
+#include <stdlib.h>
+#include <string.h>
+
+__attribute__((optimize(0)))
+int main(void) {
+    char *p = malloc(128);
+    if (!p) {
+        return 1;
+    }
+    free(p);
+    char *q = malloc(128);
+
+    p[65] = 'a';
+
+    // trigger reuse of the allocation
+    for (size_t i = 0; i < 100000; i++) {
+        free(malloc(128));
+    }
+    return 0;
+}