# Double-Free Protections It wouldn't be fun if there were no protections, right? Using Xenial Xerus, try running: ```c #include #include int main() { int *a = malloc(0x50); free(a); free(a); return 1; } ``` Notice that it throws an error. ### Double Free or Corruption (Fasttop) > Is the chunk at the top of the bin the same as the chunk being inserted? For example, the following code still works: ```c #include #include int main() { int *a = malloc(0x50); int *b = malloc(0x50); free(a); free(b); free(a); return 1; } ``` ### malloc(): memory corruption (fast) > When removing the chunk from a fastbin, make sure the size falls into the fastbin's range The previous protection could be bypassed by freeing another chunk in between the double-free and just doing a bit more work that way, but then you fall into this trap. Namely, if you overwrite `fd` with something like `0x08041234`, you have to make sure the metadata fits - i.e. the size ahead of the data is completely correct - and that makes it harder, because you can't just write into the GOT, unless you get lucky. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ir0nstone.gitbook.io/notes/binexp/heap/double-free/double-free-protections.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.