在 C 中创建 malloc() 缓冲区溢出

Question

I want to write a check unit test for malloc(3) using the "check library".

This unit test is supposed to produce buffer overruns.

1. Is allocating a double on an int variable (ie int *ptr = malloc(3)) a buffer overrun?
2. What about allocating a bigger number than the maximum value of an int?

Could you please give me other simple examples for buffer overruns?

Answer 1

To overrun a buffer, you need to access a buffer outside its guaranteed size or before its beginning. Allocation doesn't really access any visible buffers, so it's hard to see how any kind of allocation would be a buffer overrun unless there was a bug in the allocation routine itself or its structures were corrupted.

Is allocating a double on an int variable (ie int *ptr = malloc(3)) a buffer overrun?

No, since no buffer is being accessed.

What about allocating a bigger number than the maximum value of an int?

No, since no buffer is being accessed.

To overrun a buffer, you must first have a buffer and then overrun it. For example:

int* j = malloc (2 * sizeof (int));
j[2] = 1;

Here I allocate a buffer with space for two integers and then overrun it by accessing the third integer (0 is the first, 1 is the second, so 2 is the third).

Answer 2

Writing or reading past the end of a buffer allocated by malloc produces undefined behavior , which means you can't depend on any particular behavior when it happens. The program may appear to work, it may core dump, or it may output unexpected results.

Because overrunning a malloc'ed buffer caused undefined behavior, creating test cases for it is pointless unless you're testing a particular implementation of malloc . Based on the wording of your question, that does not seem to be the case.