1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | #include <stdio.h>
#include <stdlib.h>
int main(int argc, char* argv[]) {
int num_chars = 5;
char* s = malloc(sizeof(*s) * num_chars);
// sizeof(*s) gives you the number of bytes per char
// num_chars is the number of chars (elements) in the new array.
// This will be on the HEAP (segment of memory).
s[0] = 'Y';
s[1] = 'o';
s[2] = 'p';
s[3] = 'e';
s[4] = 'e';
s[5] = 'e';
s[6] = '\0';
// BAD
// char* s = (char*) malloc(sizeof(*s) * num_chars); // no unnecessary cast
// char* s = malloc(sizeof(char) * num_chars); // use sizeof(expr)
// Note: sizeof(..) does not access or evaluate the expression so there
// is no problem using it before it is initialized.
printf("%s\n", s);
free(s); // VERY IMPORTANT -- WARNING: -40% if you forget
// Forgetting to call free(..) on *each* allocated block is a MEMORY LEAK.
return EXIT_SUCCESS;
}
/*
==34726== Invalid write of size 1
==34726== at 0x400658: main (malloc_buffer_overflow.c:17)
==34726== Address 0x4c3e045 is 0 bytes after a block of size 5 alloc'd
==34726== at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==34726== by 0x400618: main (malloc_buffer_overflow.c:7)
==34726==
==34726== Invalid write of size 1
==34726== at 0x400663: main (malloc_buffer_overflow.c:18)
==34726== Address 0x4c3e046 is 1 bytes after a block of size 5 alloc'd
==34726== at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==34726== by 0x400618: main (malloc_buffer_overflow.c:7)
==34726==
==34726== Invalid read of size 1
==34726== at 0x4A07FC4: __GI_strlen (mc_replace_strmem.c:404)
==34726== by 0x3F1EA6884A: puts (ioputs.c:37)
==34726== by 0x400671: main (malloc_buffer_overflow.c:27)
==34726== Address 0x4c3e045 is 0 bytes after a block of size 5 alloc'd
==34726== at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==34726== by 0x400618: main (malloc_buffer_overflow.c:7)
==34726==
==34726== Invalid read of size 1
==34726== at 0x3F1EA7449E: _IO_default_xsputn (genops.c:485)
==34726== by 0x3F1EA71601: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
==34726== by 0x3F1EA688DC: puts (ioputs.c:43)
==34726== by 0x400671: main (malloc_buffer_overflow.c:27)
==34726== Address 0x4c3e045 is 0 bytes after a block of size 5 alloc'd
==34726== at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==34726== by 0x400618: main (malloc_buffer_overflow.c:7)
==34726==
Yopeee
==34726==
==34726== HEAP SUMMARY:
==34726== in use at exit: 0 bytes in 0 blocks
==34726== total heap usage: 1 allocs, 1 frees, 5 bytes allocated
==34726==
==34726== All heap blocks were freed -- no leaks are possibleO
*** NOTE: "0 bytes after a block of size 5" means the byte immediately
following that block.
*/
/* vim: set tabstop=4 shiftwidth=4 fileencoding=utf-8 noexpandtab: */
|
© Copyright 2017 Alexander J. Quinn This content is protected and may not be shared, uploaded, or distributed.