分配给结构中的静态数组时堆缓冲区溢出

heap-buffer-overflow when assigning to static array in struct

我有一个结构形式

struct pixel_graph_header {
    int pixels[ROWS][COLS];
};

typedef struct pixel_graph_header* graph;

ROWSCOLS 均由编译器指令设置为 1000。我正在尝试初始化并分配一个图形。这是我目前拥有的:

graph pixel_graph_new(int pixels[ROWS][COLS], int img_height, int img_width) {
    graph ret = malloc(sizeof(graph)); \line 24
    for (unsigned int i = 0; i < img_height; i++){
        for (unsigned int j = 0; j < img_width; j++) {
            ret->pixels[i][j] = pixels[i][j]; \line 29
        }
    }
}

我从一个带有 G = pixel_graph_new(width, height, pixels); 的测试文件中调用它,其中 width = 128height = 128pixels 是一个 1000x1000 数组,其中的 128x128 子集中有有用的数据它。它编译得很好,但是当我 运行 它时,我遇到了问题。我正在使用 ASan,但出现此错误:

==98106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f8 at pc 0x00010d0796e1 bp 0x7ffee284a010 sp 0x7ffee28497c0
WRITE of size 512 at 0x6020000000f8 thread T0
    #0 0x10d0796e0 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0)
    #1 0x10cfe8320 in pixel_graph_new graph.c:29
    #2 0x10cfe8d09 in main unionfind_test.c:17
    #3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)

0x6020000000f8 is located 0 bytes to the right of 8-byte region [0x6020000000f0,0x6020000000f8)
allocated by thread T0 here:
    #0 0x10d07bf53 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56f53)
    #1 0x10cfe82b2 in pixel_graph_new graph.c:24
    #2 0x10cfe8d09 in main unionfind_test.c:17
    #3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c0400000000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x1c0400000010: fa fa 00 04 fa fa 00 00 fa fa 00 06 fa fa 00[fa]
  0x1c0400000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==98106==ABORTING
Abort trap: 6

我不知道是什么原因造成的。我可以检查 sizeof 并看到为 ret -> pixels 分配了一个 1000x1000 int 数组。如果我将 ret->pixels[i][j] 替换为 ret -> pixels[0][0],我会遇到同样的问题,所以我认为这不是越界错误。我也无法从 ret->pixels[0][0] 读取,它抛出基本上相同的错误,除了读取而不是写入。

你有 typedef struct pixel_graph_header* graph;。这意味着 malloc(sizeof(graph)); 分配了足够的 space 来保存 指向 struct pixel_graph_header 的指针。你需要的 space 足够 struct pixel_graph_header,所以用 malloc(sizeof(struct pixel_graph_header)); 代替。