分配给结构中的静态数组时堆缓冲区溢出
Posted
技术标签:
【中文标题】分配给结构中的静态数组时堆缓冲区溢出【英文标题】:heap-buffer-overflow when assigning to static array in struct 【发布时间】:2019-07-26 09:45:38 【问题描述】:我有一个结构体
struct pixel_graph_header
int pixels[ROWS][COLS];
;
typedef struct pixel_graph_header* graph;
ROWS 和 COLS 都由编译器指令设置为 1000。我正在尝试初始化和分配一个图表。这是我目前拥有的:
graph pixel_graph_new(int pixels[ROWS][COLS], int img_height, int img_width)
graph ret = malloc(sizeof(graph)); \\line 24
for (unsigned int i = 0; i < img_height; i++)
for (unsigned int j = 0; j < img_width; j++)
ret->pixels[i][j] = pixels[i][j]; \\line 29
我从带有G = pixel_graph_new(width, height, pixels); 的测试文件中调用它,其中width = 128、height = 128 和pixels 是一个1000x1000 数组,其中128x128 子集中的有用数据。它编译得很好,但是当我运行它时,我遇到了问题。我正在使用 ASan,但出现此错误:
==98106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f8 at pc 0x00010d0796e1 bp 0x7ffee284a010 sp 0x7ffee28497c0
WRITE of size 512 at 0x6020000000f8 thread T0
#0 0x10d0796e0 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0)
#1 0x10cfe8320 in pixel_graph_new graph.c:29
#2 0x10cfe8d09 in main unionfind_test.c:17
#3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)
0x6020000000f8 is located 0 bytes to the right of 8-byte region [0x6020000000f0,0x6020000000f8)
allocated by thread T0 here:
#0 0x10d07bf53 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56f53)
#1 0x10cfe82b2 in pixel_graph_new graph.c:24
#2 0x10cfe8d09 in main unionfind_test.c:17
#3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c0400000000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x1c0400000010: fa fa 00 04 fa fa 00 00 fa fa 00 06 fa fa 00[fa]
0x1c0400000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==98106==ABORTING
Abort trap: 6
我不知道是什么原因造成的。我可以检查sizeof 并看到为ret -> pixels 分配了一个1000x1000 int 数组。如果我将ret->pixels[i][j] 替换为ret -> pixels[0][0],我会遇到同样的问题,所以我认为这不是越界错误。我也无法从ret->pixels[0][0] 读取,它基本上抛出相同的错误,除了读取而不是写入。
【问题讨论】:
您的代码是在单个文件中还是在多个文件中?如果您能提供完整的代码,我可以为您运行测试。 这是4,000,000 字节,用于pixels[ROWS][COLS];,pixels 是 VLA。什么编译器和什么操作系统?您需要查看:Is it a good idea to typedef pointers?。我猜libclang_rt.asan_osx... 表示clang 和Mac OSX。
【参考方案1】:
你有typedef struct pixel_graph_header* graph;。这意味着malloc(sizeof(graph)); 分配了足够的空间来保存一个指向struct pixel_graph_header 的指针。你需要的是足够的空间容纳整个struct pixel_graph_header,所以请改用malloc(sizeof(struct pixel_graph_header));。
【讨论】:
成功了,非常感谢。这是(不出所料)的家庭作业,对于我得到的起始代码,我肯定有一些疑问。我仍然想知道为什么printf("%lu\n", sizeof(ret -> pixels)); 告诉我我已经分配了足够的内存来分配上面的内存。
@SamCraig sizeof 只是告诉你一个字段有多大,并在编译时进行评估。它不知道你是否真的分配了足够的空间。以上是关于分配给结构中的静态数组时堆缓冲区溢出的主要内容,如果未能解决你的问题,请参考以下文章