[Gc] heap overflow

Hans Van den Eynden hans.vandeneynden at pandora.be
Tue Nov 9 06:40:17 PST 2004


The description of the  Sweep phase says:

"Nonempty small object pages are swept when an allocation attempt 
encounters an empty free list for that object size and kind. Pages for 
the correct size and kind are repeatedly swept until at least one empty 
block is found. Sweeping such a page involves scanning the mark bit 
array in the page header, and building a free list linked through the 
first words in the objects themselves. This does involve touching the 
appropriate data page, but in most cases it will be touched only just 
before it is used for allocation. Hence any paging is essentially 
unavoidable. "

But if there is a linked list throught the first words in the object, 
this pointers could be overridden by an bufferoverflow?
Where can i find the struct of the object itself. How is the object 
itself intern constructed (the inner structure)??



More information about the Gc mailing list