Comments on: Crash Dump Analysis Patterns (Part 23a) https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Tue, 19 May 2026 01:54:35 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-741738 Dmitry Vostokov Sun, 04 Jun 2017 14:10:18 +0000 https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-741738 0:000> !heap -s -v Details: Heap address: 00cb0000 Error address: 103f4550 Error type: HEAP_FAILURE_BLOCK_NOT_BUSY Details: The caller performed an operation (such as a free or a size check) that is illegal on a free block. Follow-up: Check the error's stack trace to find the culprit. Stack trace: 772ec3bd: ntdll!RtlpFreeHeapInternal+0x000000db 772ac6dc: ntdll!RtlFreeHeap+0x0000002c 747a8eab: combase!CRetailMalloc_Free+0x0000001b 6a3537b1: hlink!CMalloc::Free+0x00000031 6a3536b3: hlink!HLNK_Unk::Release+0x000000f3 2e5933a8: PPCORE!PPMain+0x00406423 2e2847ba: PPCORE!PPMain+0x000f7835 2e26a9ec: PPCORE!PPMain+0x000dda67 2e26a8dd: PPCORE!PPMain+0x000dd958 2e26a76e: PPCORE!PPMain+0x000dd7e9 2e26a6e7: PPCORE!PPMain+0x000dd762 2e26a68c: PPCORE!PPMain+0x000dd707 2e26a616: PPCORE!PPMain+0x000dd691 2e26a5ec: PPCORE!PPMain+0x000dd667 54a6647e: OART!Ordinal834+0x00000057 54ade32c: OART!Ordinal971+0x00000094 0:000> !heap -x 103f4550 Entry User Heap Segment Size PrevSize Unused Flags ----------------------------------------------------------------------------- 103f4550 103f4558 00cb0000 1010ffa8 e0 - 0 LFH;free 0:000> !heap -s -v

Details:

Heap address: 00cb0000
Error address: 103f4550
Error type: HEAP_FAILURE_BLOCK_NOT_BUSY
Details: The caller performed an operation (such as a free
or a size check) that is illegal on a free block.
Follow-up: Check the error’s stack trace to find the culprit.

Stack trace:
772ec3bd: ntdll!RtlpFreeHeapInternal+0×000000db
772ac6dc: ntdll!RtlFreeHeap+0×0000002c
747a8eab: combase!CRetailMalloc_Free+0×0000001b
6a3537b1: hlink!CMalloc::Free+0×00000031
6a3536b3: hlink!HLNK_Unk::Release+0×000000f3
2e5933a8: PPCORE!PPMain+0×00406423
2e2847ba: PPCORE!PPMain+0×000f7835
2e26a9ec: PPCORE!PPMain+0×000dda67
2e26a8dd: PPCORE!PPMain+0×000dd958
2e26a76e: PPCORE!PPMain+0×000dd7e9
2e26a6e7: PPCORE!PPMain+0×000dd762
2e26a68c: PPCORE!PPMain+0×000dd707
2e26a616: PPCORE!PPMain+0×000dd691
2e26a5ec: PPCORE!PPMain+0×000dd667
54a6647e: OART!Ordinal834+0×00000057
54ade32c: OART!Ordinal971+0×00000094

0:000> !heap -x 103f4550
Entry User Heap Segment Size PrevSize Unused Flags
—————————————————————————–
103f4550 103f4558 00cb0000 1010ffa8 e0 - 0 LFH;free

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-741661 Dmitry Vostokov Thu, 26 Feb 2015 17:50:25 +0000 https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-741661 An example of Double Free detected in Windows 7: 0:048> k ChildEBP RetAddr 206dee98 777f8567 ntdll!ZwWaitForSingleObject+0x15 206def1c 777f8695 ntdll!RtlReportExceptionEx+0x14b 206def74 7781e6e6 ntdll!RtlReportException+0x86 206def88 7781e763 ntdll!RtlpTerminateFailureFilter+0x14 206def94 777c73dc ntdll!RtlReportCriticalFailure+0x67 206defa8 777c7281 ntdll!_EH4_CallFilterFunc+0x12 206defd0 777ab499 ntdll!_except_handler4+0x8e 206deff4 777ab46b ntdll!ExecuteHandler2+0x26 206df018 777ab40e ntdll!ExecuteHandler+0x24 206df0a4 77760133 ntdll!RtlDispatchException+0x127 206df0a4 7781e753 ntdll!KiUserExceptionDispatcher+0xf 206df5e8 7781f659 ntdll!RtlReportCriticalFailure+0x57 206df5f8 7781f739 ntdll!RtlpReportHeapFailure+0x21 206df62c 777ce045 ntdll!RtlpLogHeapFailure+0xa1 206df65c 76aa6e6a ntdll!RtlFreeHeap+0x64 206df670 58110076 ole32!CRetailMalloc_Free+0x1c [d:\w7rtm\com\ole32\com\class\memapi.cxx @ 687] WARNING: Stack unwind information not available. Following frames may be wrong. 206df6ac 581100e9 OUTLMIME!MimeOleInetDateToFileTime+0xd562 206df6b8 5811051d OUTLMIME!MimeOleInetDateToFileTime+0xd5d5 206df6e0 771562fa OUTLMIME!MimeOleInetDateToFileTime+0xda09 206df70c 77156d3a user32!InternalCallWinProc+0x23 206df784 771577c4 user32!UserCallWinProcCheckWow+0x109 206df7e4 77157bca user32!DispatchMessageWorker+0x3bc 206df7f4 581d74e6 user32!DispatchMessageA+0xf 206df830 581e04a3 OUTLPH!DllGetClassObject+0x5616 206df84c 581df9ac OUTLPH!DllGetClassObject+0xe5d3 206df880 6e558488 OUTLPH!DllGetClassObject+0xdadc 206df8a4 650fa17d OLMAPI32!HrCreateAsyncArgSet+0x479 206df8e8 650f8221 MSO!Ordinal381+0x48d 206df908 650f80a9 MSO!Ordinal9712+0x237 206df924 650f32d6 MSO!Ordinal9712+0xbf 206df958 650efe05 MSO!Ordinal5368+0x382 206df9b4 7725338a MSO!MsoFInitOffice+0x363 206df9c0 77789f72 kernel32!BaseThreadInitThunk+0xe 206dfa00 77789f45 ntdll!__RtlUserThreadStart+0x70 206dfa18 00000000 ntdll!_RtlUserThreadStart+0x1b Because we have the stack unwind warning we double check the return address to verify that OUTLMIME module called heap free function. The call involves triple indirection of 58149f04 pointer address:   0:048> ub 58110076 OUTLMIME!MimeOleInetDateToFileTime+0xd550: 58110064 8b0f mov ecx,dword ptr [edi] 58110066 3bcb cmp ecx,ebx 58110068 740e je OUTLMIME!MimeOleInetDateToFileTime+0xd564 (58110078) 5811006a a1049f1458 mov eax,dword ptr [OUTLMIME!HrGetMIMEStreamForMAPIMsg+0xe528 (58149f04)] 5811006f 8b10 mov edx,dword ptr [eax] 58110071 51 push ecx 58110072 50 push eax 58110073 ff5214 call dword ptr [edx+14h] 0:048> dps poi(poi(58149f04))+14 L1 76b97264 76aa6e4e ole32!CRetailMalloc_Free [d:\w7rtm\com\ole32\com\class\memapi.cxx @ 680] 0:048> !heap -s ************************************************************** * * * HEAP ERROR DETECTED * * * ************************************************************** Details: Heap address: 00280000 Error address: 1cecd3e8 Error type: HEAP_FAILURE_BLOCK_NOT_BUSY Details: The caller performed an operation (such as a free or a size check) that is illegal on a free block. Follow-up: Check the error's stack trace to find the culprit. Stack trace: 777ce045: ntdll!RtlFreeHeap+0x00000064 76aa6e6a: ole32!CRetailMalloc_Free+0x0000001c 58110076: OUTLMIME!MimeOleInetDateToFileTime+0x0000d562 581100e9: OUTLMIME!MimeOleInetDateToFileTime+0x0000d5d5 5811051d: OUTLMIME!MimeOleInetDateToFileTime+0x0000da09 771562fa: user32!InternalCallWinProc+0x00000023 77156d3a: user32!UserCallWinProcCheckWow+0x00000109 771577c4: user32!DispatchMessageWorker+0x000003bc 77157bca: user32!DispatchMessageA+0x0000000f 581d74e6: OUTLPH!DllGetClassObject+0x00005616 581e04a3: OUTLPH!DllGetClassObject+0x0000e5d3 581df9ac: OUTLPH!DllGetClassObject+0x0000dadc 6e558488: OLMAPI32!HrCreateAsyncArgSet+0x00000479 650fa17d: MSO!Ordinal381+0x0000048d 650f8221: MSO!Ordinal9712+0x00000237 650f80a9: MSO!Ordinal9712+0x000000bf [...] 0:048> !heap -x 1cecd3e8 Entry User Heap Segment Size PrevSize Unused Flags ----------------------------------------------------------------------------- 1cecd3e8 1cecd3f0 00280000 0f945f18 20 - 0 LFH;free An example of Double Free detected in Windows 7:

0:048> k
ChildEBP RetAddr
206dee98 777f8567 ntdll!ZwWaitForSingleObject+0×15
206def1c 777f8695 ntdll!RtlReportExceptionEx+0×14b
206def74 7781e6e6 ntdll!RtlReportException+0×86
206def88 7781e763 ntdll!RtlpTerminateFailureFilter+0×14
206def94 777c73dc ntdll!RtlReportCriticalFailure+0×67
206defa8 777c7281 ntdll!_EH4_CallFilterFunc+0×12
206defd0 777ab499 ntdll!_except_handler4+0×8e
206deff4 777ab46b ntdll!ExecuteHandler2+0×26
206df018 777ab40e ntdll!ExecuteHandler+0×24
206df0a4 77760133 ntdll!RtlDispatchException+0×127
206df0a4 7781e753 ntdll!KiUserExceptionDispatcher+0xf
206df5e8 7781f659 ntdll!RtlReportCriticalFailure+0×57
206df5f8 7781f739 ntdll!RtlpReportHeapFailure+0×21
206df62c 777ce045 ntdll!RtlpLogHeapFailure+0xa1
206df65c 76aa6e6a ntdll!RtlFreeHeap+0×64
206df670 58110076 ole32!CRetailMalloc_Free+0×1c [d:\w7rtm\com\ole32\com\class\memapi.cxx @ 687]
WARNING: Stack unwind information not available. Following frames may be wrong.
206df6ac 581100e9 OUTLMIME!MimeOleInetDateToFileTime+0xd562
206df6b8 5811051d OUTLMIME!MimeOleInetDateToFileTime+0xd5d5
206df6e0 771562fa OUTLMIME!MimeOleInetDateToFileTime+0xda09
206df70c 77156d3a user32!InternalCallWinProc+0×23
206df784 771577c4 user32!UserCallWinProcCheckWow+0×109
206df7e4 77157bca user32!DispatchMessageWorker+0×3bc
206df7f4 581d74e6 user32!DispatchMessageA+0xf
206df830 581e04a3 OUTLPH!DllGetClassObject+0×5616
206df84c 581df9ac OUTLPH!DllGetClassObject+0xe5d3
206df880 6e558488 OUTLPH!DllGetClassObject+0xdadc
206df8a4 650fa17d OLMAPI32!HrCreateAsyncArgSet+0×479
206df8e8 650f8221 MSO!Ordinal381+0×48d
206df908 650f80a9 MSO!Ordinal9712+0×237
206df924 650f32d6 MSO!Ordinal9712+0xbf
206df958 650efe05 MSO!Ordinal5368+0×382
206df9b4 7725338a MSO!MsoFInitOffice+0×363
206df9c0 77789f72 kernel32!BaseThreadInitThunk+0xe
206dfa00 77789f45 ntdll!__RtlUserThreadStart+0×70
206dfa18 00000000 ntdll!_RtlUserThreadStart+0×1b

Because we have the stack unwind warning we double check the return address to verify that OUTLMIME module called heap free function. The call involves triple indirection of 58149f04 pointer address:


0:048> ub 58110076
OUTLMIME!MimeOleInetDateToFileTime+0xd550:
58110064 8b0f mov ecx,dword ptr [edi]
58110066 3bcb cmp ecx,ebx
58110068 740e je OUTLMIME!MimeOleInetDateToFileTime+0xd564 (58110078)
5811006a a1049f1458 mov eax,dword ptr [OUTLMIME!HrGetMIMEStreamForMAPIMsg+0xe528 (58149f04)]
5811006f 8b10 mov edx,dword ptr [eax]
58110071 51 push ecx
58110072 50 push eax
58110073 ff5214 call dword ptr [edx+14h]

0:048> dps poi(poi(58149f04))+14 L1
76b97264 76aa6e4e ole32!CRetailMalloc_Free [d:\w7rtm\com\ole32\com\class\memapi.cxx @ 680]

0:048> !heap -s
**************************************************************
* *
* HEAP ERROR DETECTED *
* *
**************************************************************

Details:

Heap address: 00280000
Error address: 1cecd3e8
Error type: HEAP_FAILURE_BLOCK_NOT_BUSY
Details: The caller performed an operation (such as a free
or a size check) that is illegal on a free block.
Follow-up: Check the error’s stack trace to find the culprit.

Stack trace:
777ce045: ntdll!RtlFreeHeap+0×00000064
76aa6e6a: ole32!CRetailMalloc_Free+0×0000001c
58110076: OUTLMIME!MimeOleInetDateToFileTime+0×0000d562
581100e9: OUTLMIME!MimeOleInetDateToFileTime+0×0000d5d5
5811051d: OUTLMIME!MimeOleInetDateToFileTime+0×0000da09
771562fa: user32!InternalCallWinProc+0×00000023
77156d3a: user32!UserCallWinProcCheckWow+0×00000109
771577c4: user32!DispatchMessageWorker+0×000003bc
77157bca: user32!DispatchMessageA+0×0000000f
581d74e6: OUTLPH!DllGetClassObject+0×00005616
581e04a3: OUTLPH!DllGetClassObject+0×0000e5d3
581df9ac: OUTLPH!DllGetClassObject+0×0000dadc
6e558488: OLMAPI32!HrCreateAsyncArgSet+0×00000479
650fa17d: MSO!Ordinal381+0×0000048d
650f8221: MSO!Ordinal9712+0×00000237
650f80a9: MSO!Ordinal9712+0×000000bf
[…]

0:048> !heap -x 1cecd3e8
Entry User Heap Segment Size PrevSize Unused Flags
—————————————————————————–
1cecd3e8 1cecd3f0 00280000 0f945f18 20 - 0 LFH;free

]]> By: Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 41) https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-152683 Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 41) Tue, 18 May 2010 10:37:46 +0000 https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-152683 [...] we introduce an icon for Double Free (process heap) [...] […] we introduce an icon for Double Free (process heap) […]

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis AntiPatterns (Part 13) https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-97765 Crash Dump Analysis » Blog Archive » Crash Dump Analysis AntiPatterns (Part 13) Tue, 06 Oct 2009 21:14:31 +0000 https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-97765 [...] to catch buffer overwrites but not underwrites and heap can also be damaged by other means like double free, passing an invalid address or direct corruption of control structures via a dangling pointer. [...] […] to catch buffer overwrites but not underwrites and heap can also be damaged by other means like double free, passing an invalid address or direct corruption of control structures via a dangling pointer. […]

]]> By: Nitin https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-46269 Nitin Fri, 10 Oct 2008 12:33:27 +0000 https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-46269 Hi, I tried all the examples given in this page which are supposed to genereate a crash, with pageheap enabled. But I could not see any crash. I was running the programs with and without debugger. OS was w2k3 and w2k8. Hi,
I tried all the examples given in this page which are supposed to genereate a crash, with pageheap enabled. But I could not see any crash. I was running the programs with and without debugger. OS was w2k3 and w2k8.

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 71) https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-33945 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 71) Sat, 12 Jul 2008 08:38:04 +0000 https://www.dumpanalysis.org/blog/index.php/2007/08/19/crash-dump-analysis-patterns-part-23a/#comment-33945 [...] happen due to corrupt or overwritten heap or pool control structures (for the latter see Double Free pattern). Another frequently seen specialization is called Critical Section Corruption which is [...] […] happen due to corrupt or overwritten heap or pool control structures (for the latter see Double Free pattern). Another frequently seen specialization is called Critical Section Corruption which is […]

]]>