c - C中的缓冲区溢出,具有分配双数组的功能
问题描述
我很容易地分配了一个字符串数组,到目前为止它工作得很好,但我没有在我的一个程序上使用这个函数得到缓冲区溢出。
代码 :
/*
\fn char **clean_double_alloc(int y, int x)
\brief allocate array of string in desirated size.
\param y : the number of string
\param x : the lenght of each string
\return a new array of string(char **).
*/
char **clean_double_alloc(int y, int x)
{
char **double_buffer = NULL;
double_buffer = malloc(sizeof(char *) * (y + 1));
if (double_buffer == NULL) {
put_error("allocation error !\n");
return (NULL);
}
for (int i = 0; i < y; i++) {
double_buffer[i] = NULL;
double_buffer[i] = clean_alloc(x);
if (double_buffer[i] == NULL) {
put_error("allocation error !\n");
return (NULL);
}
}
double_buffer[y + 1] = NULL;
return (double_buffer);
}
注意:我的 clean_alloc 并以它可以容纳的字符数而不是字节大小作为参数,然后用 '\0' 填充分配的空间。
clean_alloc 代码在这里:
char *clean_alloc(int size)
{
char *str = NULL;
str = malloc(size * sizeof(char));
if (str == NULL) {
my_putstr("allocation error !");
return (NULL);
}
for (int i = 0; i < size; i++)
str[i] = '\0';
return (str);
}
我用 -fsanitize=address 编译并得到以下跟踪:
==8342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000040 at pc 0x000000405176 bp 0x7ffc8d494ff0 sp 0x7ffc8d494fe0
WRITE of size 8 at 0x604000000040 thread T0
#0 0x405175 in clean_double_alloc warlock/string/initialize_more.c:35
#1 0x4015cc in prepare_maze src/main.c:55
#2 0x4013f7 in main src/main.c:38
#3 0x7f8f2926df42 in __libc_start_main (/lib64/libc.so.6+0x23f42)
#4 0x40119d in _start (/home/mlg/Programming/github repo/Dante-s-Star/generator/generator+0x40119d)
0x604000000040 is located 0 bytes to the right of 48-byte region [0x604000000010,0x604000000040)
allocated by thread T0 here:
#0 0x7f8f29663c58 in __interceptor_malloc (/lib64/libasan.so.5+0x10dc58)
#1 0x405038 in clean_double_alloc warlock/string/initialize_more.c:22
#2 0x4015cc in prepare_maze src/main.c:55
#3 0x4013f7 in main src/main.c:38
#4 0x7f8f2926df42 in __libc_start_main (/lib64/libc.so.6+0x23f42)
SUMMARY: AddressSanitizer: heap-buffer-overflow warlock/string/initialize_more.c:35 in clean_double_alloc
Shadow bytes around the buggy address:
0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
解决方案
你是 malloc 一个y + 1
指针长的数组,但是你有这个调用:
double_buffer[y + 1] = NULL;
这看起来是一个错误,而应该是:
double_buffer[y] = NULL;
这突出了一个问题:
int buffer[3 + 1] = {1, 2, 3, 4};
printf("Correct: %d\nIncorrect: %d\n", buffer[3], buffer[3 + 1]);
推荐阅读
- flutter - 如何在具有两个实例对象的变量的类中正确组合两个模式类?
- css - 如何在 Linux 上修复 Laravel 项目中的 css 链接?
- javascript - Res.redirect() 加载为 fetch 而不是重定向?
- python - Python 字典:TypeError:“NoneType”类型的参数不可迭代
- python - Discord Bot AttributeError:“音乐”对象没有属性“_player”
- vue.js - 基本Vue待办事项列表:添加的列表项不显示
- r - 如何在图形的轴上插入点
- leaflet - 缩放时传单层与地图分开移动
- laravel - Laravel 护照安全
- javascript - 在表格 html 中显示图像