分配给结构中的静态数组时堆缓冲区溢出
heap-buffer-overflow when assigning to static array in struct
我有一个结构形式
struct pixel_graph_header {
int pixels[ROWS][COLS];
};
typedef struct pixel_graph_header* graph;
ROWS
和 COLS
均由编译器指令设置为 1000。我正在尝试初始化并分配一个图形。这是我目前拥有的:
graph pixel_graph_new(int pixels[ROWS][COLS], int img_height, int img_width) {
graph ret = malloc(sizeof(graph)); \line 24
for (unsigned int i = 0; i < img_height; i++){
for (unsigned int j = 0; j < img_width; j++) {
ret->pixels[i][j] = pixels[i][j]; \line 29
}
}
}
我从一个带有 G = pixel_graph_new(width, height, pixels);
的测试文件中调用它,其中 width = 128
、height = 128
和 pixels
是一个 1000x1000 数组,其中的 128x128 子集中有有用的数据它。它编译得很好,但是当我 运行 它时,我遇到了问题。我正在使用 ASan,但出现此错误:
==98106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f8 at pc 0x00010d0796e1 bp 0x7ffee284a010 sp 0x7ffee28497c0
WRITE of size 512 at 0x6020000000f8 thread T0
#0 0x10d0796e0 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0)
#1 0x10cfe8320 in pixel_graph_new graph.c:29
#2 0x10cfe8d09 in main unionfind_test.c:17
#3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)
0x6020000000f8 is located 0 bytes to the right of 8-byte region [0x6020000000f0,0x6020000000f8)
allocated by thread T0 here:
#0 0x10d07bf53 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56f53)
#1 0x10cfe82b2 in pixel_graph_new graph.c:24
#2 0x10cfe8d09 in main unionfind_test.c:17
#3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c0400000000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x1c0400000010: fa fa 00 04 fa fa 00 00 fa fa 00 06 fa fa 00[fa]
0x1c0400000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==98106==ABORTING
Abort trap: 6
我不知道是什么原因造成的。我可以检查 sizeof
并看到为 ret -> pixels
分配了一个 1000x1000 int 数组。如果我将 ret->pixels[i][j]
替换为 ret -> pixels[0][0]
,我会遇到同样的问题,所以我认为这不是越界错误。我也无法从 ret->pixels[0][0]
读取,它抛出基本上相同的错误,除了读取而不是写入。
你有 typedef struct pixel_graph_header* graph;
。这意味着 malloc(sizeof(graph));
分配了足够的 space 来保存 指向 struct pixel_graph_header
的指针。你需要的 space 足够 struct pixel_graph_header
,所以用 malloc(sizeof(struct pixel_graph_header));
代替。
我有一个结构形式
struct pixel_graph_header {
int pixels[ROWS][COLS];
};
typedef struct pixel_graph_header* graph;
ROWS
和 COLS
均由编译器指令设置为 1000。我正在尝试初始化并分配一个图形。这是我目前拥有的:
graph pixel_graph_new(int pixels[ROWS][COLS], int img_height, int img_width) {
graph ret = malloc(sizeof(graph)); \line 24
for (unsigned int i = 0; i < img_height; i++){
for (unsigned int j = 0; j < img_width; j++) {
ret->pixels[i][j] = pixels[i][j]; \line 29
}
}
}
我从一个带有 G = pixel_graph_new(width, height, pixels);
的测试文件中调用它,其中 width = 128
、height = 128
和 pixels
是一个 1000x1000 数组,其中的 128x128 子集中有有用的数据它。它编译得很好,但是当我 运行 它时,我遇到了问题。我正在使用 ASan,但出现此错误:
==98106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f8 at pc 0x00010d0796e1 bp 0x7ffee284a010 sp 0x7ffee28497c0
WRITE of size 512 at 0x6020000000f8 thread T0
#0 0x10d0796e0 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0)
#1 0x10cfe8320 in pixel_graph_new graph.c:29
#2 0x10cfe8d09 in main unionfind_test.c:17
#3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)
0x6020000000f8 is located 0 bytes to the right of 8-byte region [0x6020000000f0,0x6020000000f8)
allocated by thread T0 here:
#0 0x10d07bf53 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56f53)
#1 0x10cfe82b2 in pixel_graph_new graph.c:24
#2 0x10cfe8d09 in main unionfind_test.c:17
#3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c0400000000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x1c0400000010: fa fa 00 04 fa fa 00 00 fa fa 00 06 fa fa 00[fa]
0x1c0400000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==98106==ABORTING
Abort trap: 6
我不知道是什么原因造成的。我可以检查 sizeof
并看到为 ret -> pixels
分配了一个 1000x1000 int 数组。如果我将 ret->pixels[i][j]
替换为 ret -> pixels[0][0]
,我会遇到同样的问题,所以我认为这不是越界错误。我也无法从 ret->pixels[0][0]
读取,它抛出基本上相同的错误,除了读取而不是写入。
你有 typedef struct pixel_graph_header* graph;
。这意味着 malloc(sizeof(graph));
分配了足够的 space 来保存 指向 struct pixel_graph_header
的指针。你需要的 space 足够 struct pixel_graph_header
,所以用 malloc(sizeof(struct pixel_graph_header));
代替。