First-fit behavior

Consider the sample code:

The state of unsorted bin progresses as:

1. ‘a’ freed.
2. ‘malloc’ request.

   head -> a2 -> tail [ ‘a1’ is returned ]

‘a’ chunk is split into two chunks ‘a1’ and ‘a2’ as the requested size (250 bytes) is smaller than the size of the chunk ‘a’ (300 bytes). This corresponds to [6. iii.] in .

Consider the sample code:

The state of the particular fastbin progresses as:

1. ‘b’ freed.
2. ‘c’ freed.

   head -> c -> b -> a -> tail

3. ‘d’ freed.
4. ‘malloc’ request.

   head -> b -> a -> tail [ ‘c’ is returned ]

5. ‘malloc’ request.
6. ‘malloc’ request.

   head -> tail [ ‘a’ is returned ]

The smaller size here (20 bytes) ensured that on freeing, chunks went into fastbins instead of the bin.

See sample piece of vulnerable code: