fix double free check in secure = 4 mode; inline _mi_ptr_cookie

test/main-override-static.c

@@ -7,11 +7,13 @@
 #include <mimalloc.h>
 #include <mimalloc-override.h>  // redefines malloc etc.
 
-static void double_free();
+static void double_free1();
+static void double_free2();
 
 int main() {
   mi_version();
-  double_free();
+  //double_free1();
+  //double_free2();
   void* p1 = malloc(78);
   void* p2 = malloc(24);
   free(p1);
@@ -34,7 +36,7 @@ int main() {
   return 0;
 }
 
-static void double_free() {
+static void double_free1() {
   void* p[256];
   uintptr_t buf[256];
 
@@ -49,3 +51,21 @@ static void double_free() {
   // p[3]=0x429b2ea2000 (size=917504), p[1]=0x429b2e42000 (size=786432)
   fprintf(stderr, "p3: %p-%p, p1: %p-%p, p2: %p\n", p[3], (uint8_t*)(p[3]) + 786456, p[1], (uint8_t*)(p[1]) + 655362, p[2]);
 }
+
+static void double_free2() {
+  void* p[256];
+  uintptr_t buf[256];
+  // [INFO] Command buffer: 0x327b2000
+  // [INFO] Input size: 182
+  p[0] = malloc(712352);
+  p[1] = malloc(786432);
+  free(p[0]);
+  // [VULN] Double free
+  free(p[0]);
+  p[2] = malloc(786440);
+  p[3] = malloc(917504);
+  p[4] = malloc(786440);
+  // [BUG] Found overlap
+  // p[4]=0x433f1402000 (size=917504), p[1]=0x433f14c2000 (size=786432)
+  fprintf(stderr, "p1: %p-%p, p2: %p-%p\n", p[4], (uint8_t*)(p[4]) + 917504, p[1], (uint8_t*)(p[1]) + 786432);
+}