1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char* argv[]) {
    
    int num_chars = 5;
    char* s = malloc(sizeof(*s) * num_chars);
    // sizeof(*s) gives you the number of bytes per char
    // num_chars is the number of chars (elements) in the new array.
    // This will be on the HEAP (segment of memory).
    
    s[0] = 'Y';
    s[1] = 'o';
    s[2] = 'p';
    s[3] = 'e';
    s[4] = 'e';
    s[5] = 'e';
    s[6] = '\0';

    // BAD
    // char* s = (char*) malloc(sizeof(*s) * num_chars);  // no unnecessary cast
    // char* s = malloc(sizeof(char) * num_chars);        // use sizeof(expr)

    // Note:  sizeof(..) does not access or evaluate the expression so there
    //        is no problem using it before it is initialized.

    printf("%s\n", s);

    free(s);   // VERY IMPORTANT  -- WARNING:  -40% if you forget
    // Forgetting to call free(..) on *each* allocated block is a MEMORY LEAK.
    

    return EXIT_SUCCESS;
}
/*
==34726== Invalid write of size 1
==34726==    at 0x400658: main (malloc_buffer_overflow.c:17)
==34726==  Address 0x4c3e045 is 0 bytes after a block of size 5 alloc'd
==34726==    at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==34726==    by 0x400618: main (malloc_buffer_overflow.c:7)
==34726==
==34726== Invalid write of size 1
==34726==    at 0x400663: main (malloc_buffer_overflow.c:18)
==34726==  Address 0x4c3e046 is 1 bytes after a block of size 5 alloc'd
==34726==    at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==34726==    by 0x400618: main (malloc_buffer_overflow.c:7)
==34726==
==34726== Invalid read of size 1
==34726==    at 0x4A07FC4: __GI_strlen (mc_replace_strmem.c:404)
==34726==    by 0x3F1EA6884A: puts (ioputs.c:37)
==34726==    by 0x400671: main (malloc_buffer_overflow.c:27)
==34726==  Address 0x4c3e045 is 0 bytes after a block of size 5 alloc'd
==34726==    at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==34726==    by 0x400618: main (malloc_buffer_overflow.c:7)
==34726==
==34726== Invalid read of size 1
==34726==    at 0x3F1EA7449E: _IO_default_xsputn (genops.c:485)
==34726==    by 0x3F1EA71601: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
==34726==    by 0x3F1EA688DC: puts (ioputs.c:43)
==34726==    by 0x400671: main (malloc_buffer_overflow.c:27)
==34726==  Address 0x4c3e045 is 0 bytes after a block of size 5 alloc'd
==34726==    at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==34726==    by 0x400618: main (malloc_buffer_overflow.c:7)
==34726==
Yopeee
==34726==
==34726== HEAP SUMMARY:
==34726==     in use at exit: 0 bytes in 0 blocks
==34726==   total heap usage: 1 allocs, 1 frees, 5 bytes allocated
==34726==
==34726== All heap blocks were freed -- no leaks are possibleO

*** NOTE:  "0 bytes after a block of size 5" means the byte immediately
           following that block.
*/
/* vim: set tabstop=4 shiftwidth=4 fileencoding=utf-8 noexpandtab: */

© Copyright 2017 Alexander J. Quinn         This content is protected and may not be shared, uploaded, or distributed.