Rating: 3.0
- use the one-byte to extend the size of the next chunk
- leak the heap, then free it again and with the overlapping chunk, corrupt the tcachebin to point a chunk that contains the top_chunk->size
- change the top_chunk size to use house of orange (not the FSOP part)
- now we can get some unsorted chunk back from malloc, and so leak of the arena
- and last use again the one-byte to overlap and then again corrupt the tcachebin by inserting __free_hook, then insert one gadget
See link
