\u00b7<\/strong> unsorted bin\u76f8\u5f53\u4e8e\u4e00\u4e2a\u4e34\u65f6\u4e2d\u8f6c\u7ad9\uff0c\u5f88\u591afree\u51fa\u6765\u7684chunk\u5728\u8fdb\u5165\u5404\u4e2abin\u4e4b\u524d\u4f1a\u5148\u8fdb\u5165\u8fd9\u4e2a\u4e2d\u8f6c\u7ad9\u3002\u4e4b\u540e\u7684malloc\u4f1a\u4f18\u5148\u5230unsorted bin\u4e2d\u5bfb\u627e\u5408\u9002\u7684chunk\uff0c\u4e0d\u5408\u9002\u7684chunk\u4f1a\u88ab\u5206\u6d41\u5230smallbin\/largebin\u3002<\/p>\n\n\n\n \u00b7<\/strong> \u4e0etcache\u4e0d\u540c\uff0cunsorted bin\u4f7f\u7528\u53cc\u5411\u94fe\u8868\u3002\u8fdb\u5165unsorted bin\u7684chunk\u7684user_data+0x00\u4f1a\u5199\u6210fd\uff0c\u6307\u5411\u94fe\u8868\u4e2d\u7684\u4e0b\u4e00\u4e2achunk\uff1buser_data+0x08\u4f1a\u5199\u6210bk\uff0c\u6307\u5411\u94fe\u8868\u4e2d\u7684\u4e0a\u4e00\u4e2achunk\uff08\u4ee5\u8fdb\u5165unsorted bin\u7684\u5148\u540e\u987a\u5e8f\u4e3a\u524d\u540e\u987a\u5e8f\uff09\u3002\u82e5\u524d\u9762\u6216\u540e\u9762\u6ca1\u6709chunk\uff0c\u5219fd\/bk\u6307\u5411head\u3002head\u5728main_arena\u4e2d\uff0cmain_arena\u662flibc\u4e2d\u7684malloc\u6838\u5fc3\u7ba1\u7406\u7ed3\u6784\uff0c\u6240\u4ee5head\u4f1a\u662f\u4e00\u4e2alibc\u5730\u5740\u3002<\/p>\n\n\n\n \u00b7<\/strong> \u4f7f\u7528\u5982\u4e0b\u5b9e\u4f8b\uff1a<\/p>\n\n\n\n \u00b7<\/strong> \u56db\u6b21malloc\u540e\uff0c\u5148\u770b\u4e00\u4e0b\u56db\u4e2achunk\u7684user_date\u5730\u5740\uff1a<\/p>\n\n\n\n \u00b7<\/strong> \u7b2c\u4e00\u6b21free\u540e\uff1a<\/p>\n\n\n\n \u53ef\u4ee5\u770b\u5230chunk_a\u5df2\u8fdb\u5165unsorted bin\uff0c\u4e14\u94fe\u8868\u4e2d\u5199\u5165\u7684\u662fchunk_head\u800c\u4e0d\u662fuser_data\u5730\u5740\u3002\u7531\u4e8ea\u662fbin\u4e2d\u552f\u4e00\u4e00\u4e2achunk\uff0c\u5b83\u7684fd\u548cbk\u5c31\u90fd\u6307\u5411head\u3002<\/p>\n\n\n\n \u00b7<\/strong> \u4e09\u6b21free\u540e\uff1a<\/p>\n\n\n\n \u53ef\u4ee5\u770b\u5230unsorted bin\u4e2d\u4ecd\u7136\u53ea\u6709chunk_a\uff0c\u800cchunk_b\u548cchunk_c\u4e0d\u77e5\u6240\u8e2a\uff0cchunk_a\u7684fd\u548cbk\u4ecd\u7136\u90fd\u6307\u5411head\uff0cchunk_b\u548cchunk_c\u4e5f\u6ca1\u6709\u5199\u5165fd\/bk\uff0c\u4e3a\u4ec0\u4e48\uff1f<\/p>\n\n\n\n \u56e0\u4e3achunk_a,b,c\u662f\u4e00\u6bb5\u8fde\u7eed\u7684\u5185\u5b58\u533a\u57df\u7684\u4e09\u4e2achunk\uff0c\u4e00\u4e2achunk\u88abfree\u8fdbunsorted bin\u65f6\uff0cglibc\u4f1a\u5148\u540e\u68c0\u67e5\u4e0e\u4ed6\u7269\u7406\u76f8\u90bb\u7684\u4e0a\u4e00\u4e2a\u4e0e\u4e0b\u4e00\u4e2achunk\u662f\u5426\u5904\u4e0e\u4f7f\u7528\u72b6\u6001\uff0c\u82e5\u76f8\u90bbchunk\u5904\u4e8e\u7a7a\u95f2\u72b6\u6001\u5219glibc\u4f1a\u5c06\u4e24\u4e2achunk\u8fdb\u884c\u5408\u5e76\u3002\u6240\u4ee5\u7531\u4e8echunk_b\u88abfree\u65f6chunk_a\u7a7a\u95f2\u3001chunk_c\u4f7f\u7528\u4e2d\uff0cchunk_a\u5c31\u88abchunk_b\u5411\u4e0b\u5408\u5e76\uff0c\u6210\u4e3a\u4e00\u5757chunk<\/strong>\u3002chunk_c\u88abfree\u65f6\u540c\u7406\uff0c\u5bfc\u81f4\u4e09\u4e2achunk\u6700\u7ec8\u6210\u4e3a\u4e00\u4e2achunk\uff0c\u6240\u4ee5unsorted bin\u4e2d\u53ea\u6709chunk_a\u7684\u5730\u5740\u3002<\/p>\n\n\n\n \u6ce8\u610f\uff1a\u53d1\u751f\u5408\u5e76\u662f\u76f8\u90bb\u7684\u4e24\u4e2achunk\u53ea\u9700\u6ee1\u8db3\u201c\u90fd\u5904\u4e8e\u7a7a\u95f2\u72b6\u6001\u201d\u4e0e\u201c\u7269\u7406\u76f8\u90bb\u201d\u4e24\u4e2a\u6761\u4ef6\uff0c\u4e0d\u9700\u8981\u90fd\u4f4d\u4e8eunsorted bin\u94fe\u8868\u4e2d\u3002\u5408\u5e76\u8fc7\u7a0b\u4e2d\uff0c\u82e5\u76f8\u90bbchunk\u4f4d\u4e8e\u5176\u4ed6bin\uff0c\u5219\u5176\u4f1a\u88ab\u4ece\u5176\u539f\u672cbin\u4e2d\u6458\u51fa\u6765\u518d\u4e0e\u8be5chunk\u5408\u5e76\uff0c\u5408\u5e76\u540e\u7684\u7ed3\u679c\u4e00\u822c\u4f1a\u91cd\u65b0\u6302\u56deunsorted bin\uff0c\u9664\u975e\u76f4\u63a5\u5e76\u8fdbtop\u3002fastbin\u9664\u5916\u3002<\/p>\n\n\n\n \u00b7<\/strong> \u73b0\u5728\u6765\u770b\u4e0b\u9762\u8fd9\u4e2a\u5b9e\u4f8b\uff1a<\/p>\n\n\n\n \u00b7<\/strong> \u56db\u6b21free\u540e\uff1a<\/p>\n\n\n\n \u53ef\u4ee5\u770b\u5230\u8fd9\u6b21\u88abfree\u7684\u56db\u4e2achunk\u90fd\u8fdb\u5165\u4e86unsorted bin\u94fe\u8868\uff0c\u4e14\u6309\u7167\u8fdb\u5165bin\u7684\u5148\u540e\u987a\u5e8f\u4f7f\u7528fd\/bk\u76f8\u4e92\u8fde\u63a5\u3002<\/p>\n","protected":false},"excerpt":{"rendered":" 0x1 unsorted bin\u662f\u4ec0\u4e48  \u2026<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-114","post","type-post","status-publish","format-standard","hentry","category-heap2-31"],"_links":{"self":[{"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/posts\/114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/comments?post=114"}],"version-history":[{"count":1,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/posts\/114\/revisions"}],"predecessor-version":[{"id":119,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/posts\/114\/revisions\/119"}],"wp:attachment":[{"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/media?parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/categories?post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/tags?post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} 0x2 unsorted bin\u5b9e\u4f8b<\/h3>\n\n\n\n
#include <stdio.h> \n#include <stdlib.h> \n#include <stdint.h> \n#include <unistd.h> \n\nint main() { \n setbuf(stdin, NULL); \n setbuf(stdout, NULL); \n setbuf(stderr, NULL); \n\n char *a = malloc(0x420); \n char *b = malloc(0x420); \n char *c = malloc(0x420); \n char *d = malloc(0x20); \n\n free(a); \n free(b); \n free(c); \n\n return 0; \n}<\/code><\/pre>\n\n\n\n![\"\"](\"http:\/\/39.106.187.170\/wp-content\/uploads\/2026\/04\/image-10.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/39.106.187.170\/wp-content\/uploads\/2026\/04\/image-11.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/39.106.187.170\/wp-content\/uploads\/2026\/04\/image-12.png\")
<\/figure>\n\n\n\n#include <stdio.h> \n#include <stdlib.h> \n#include <stdint.h> \n#include <unistd.h> \n\nint main() { \n setbuf(stdin, NULL); \n setbuf(stdout, NULL); \n setbuf(stderr, NULL); \n\n char *a = malloc(0x420); \n char *b = malloc(0x20); \n char *c = malloc(0x420); \n char *d = malloc(0x20); \n char *e = malloc(0x420); \n char *f = malloc(0x20); \n char *g = malloc(0x420); \n char *h = malloc(0x20); \n\n free(a); \n free(c); \n free(e); \n free(g); \n\n return 0; \n}<\/code><\/pre>\n\n\n\n![\"\"](\"http:\/\/39.106.187.170\/wp-content\/uploads\/2026\/04\/image-13.png\")
<\/figure>\n\n\n\n