[Poster] Doug Lea's malloc cheatsheet || Heap Overflow visual aid

I made this poster in the beginning for myself because I found hard to understand the Doug Lea's malloc() vulnerability.

The word isn't actually difficult, but I think complex.
It has so many different concepts and processes and correlations and references and blahblahblah... so by the time I thought I understood one of them, I had to learn two different new ones and everything got mixed up and blurry in my head and I had to start all over again.
It was very frustrating.

But I noticed that there was a white drawing board and four different colors. At first I was just writing down super basic stuff just to keep track, but then I found myself drawing correlations between the super basic stuff, keywords, arrows, groupings... and basically building up everything that was explained in the posts.

As I said, it's not difficult, but complex: a chaining of simple concepts and ideas, but like, a super big chain of those.
And because I'm not very bright, I just thought "Know what, screw pretending I'm smart anymore, I'm going to use colors and shapes and basically make it look pretty".

I mean... it worked for me, so at least there's that. And maybe it works for you too, but as I said it was a process of reading and rereading the same stuff, so it will probably be easier if we're on the same page (a.k.a read the docs :D).

My two sources (two of them in spanish, sorry folks):

Phrack: Vudo malloc tricks
Set-ezine: Heap Overflows en Linux: I

Quick note on Alloc2Free

There is this flowchart in the bottom right of the image that has a 'Recently divided?' question. It can either be Yes or No. If it's No then ezpz, just keep going with the explanations.
However, if it was Yes, I had a problem. I wasn't sure what happened if the chunk was recently divided. I read Doug Lea's malloc in Github several times, but found so many possible explanations.
There's this bit in dlfree() function where it goes:

void dlfree(void* mem) {

/*

Consolidate freed chunks with preceeding or succeeding bordering

free chunks, if they exist, and then place in a bin. Intermixed

with special cases for top, dv, mmapped chunks, and usage errors.

*/ Which could mean that there will be some checks in the dlfree() function to check if those are the cases. However I didn't really find anything that could mean the 'last used chunk' or 'recently used chunk'.

Then I found another section that explained:

Chunks of the same size are arranged in a circularly-linked list, with only

the oldest chunk (the next to be used, in our FIFO ordering)

actually in the tree. (...) If a chunk with the same size an an existing node

is inserted, it is linked off the existing node using pointers that

work in the same way as fd/bk pointers of small chunks.

And

If a chunk of the exact desired size is not available, the most recently split-off space is used (and resplit) if it is big enough; otherwise best-fit is used."
And maybe that was the case? Maybe the 'checking if recently used' means that it's going to perform some checks on if it is the oldest chunk and then treat the chunk-to-be-free'd next to it accordingly to its size.
I was happy with that explanation, but I don't want to make anyone think that that's the one absolute correct answer.
BUT if you know it or have a better idea, let me know :)