分配给struct中的静态数组时，堆缓冲区溢出

Question

I have a struct of the form

struct pixel_graph_header {
    int pixels[ROWS][COLS];
};

typedef struct pixel_graph_header* graph;

ROWS and COLS are both set to 1000 by a compiler directive. I am attempting to initialize and assign a graph. Here is what I currently have:

graph pixel_graph_new(int pixels[ROWS][COLS], int img_height, int img_width) {
    graph ret = malloc(sizeof(graph)); \\line 24
    for (unsigned int i = 0; i < img_height; i++){
        for (unsigned int j = 0; j < img_width; j++) {
            ret->pixels[i][j] = pixels[i][j]; \\line 29
        }
    }
}

I am calling this from a test file with G = pixel_graph_new(width, height, pixels); where width = 128 , height = 128 and pixels is a 1000x1000 array with useful data in the the 128x128 subset of it. It compiles fine, but when I run it, I have problems. I am using ASan, and I get this error:

==98106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f8 at pc 0x00010d0796e1 bp 0x7ffee284a010 sp 0x7ffee28497c0
WRITE of size 512 at 0x6020000000f8 thread T0
    #0 0x10d0796e0 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0)
    #1 0x10cfe8320 in pixel_graph_new graph.c:29
    #2 0x10cfe8d09 in main unionfind_test.c:17
    #3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)

0x6020000000f8 is located 0 bytes to the right of 8-byte region [0x6020000000f0,0x6020000000f8)
allocated by thread T0 here:
    #0 0x10d07bf53 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56f53)
    #1 0x10cfe82b2 in pixel_graph_new graph.c:24
    #2 0x10cfe8d09 in main unionfind_test.c:17
    #3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c0400000000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x1c0400000010: fa fa 00 04 fa fa 00 00 fa fa 00 06 fa fa 00[fa]
  0x1c0400000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==98106==ABORTING
Abort trap: 6

I have no idea what is causing this. I can check with sizeof and see that an 1000x1000 int array is allocated for ret -> pixels . I get the same problem if I replace ret->pixels[i][j] with ret -> pixels[0][0] so I don't think it is an out of bounds error. I can't read from ret->pixels[0][0] either, it throws basically the same error, except with read instead of write.

Answer 1

You have typedef struct pixel_graph_header* graph; . This means that malloc(sizeof(graph)); allocates enough space to hold a pointer to a struct pixel_graph_header . What you need is enough space for a whole struct pixel_graph_header , so use malloc(sizeof(struct pixel_graph_header)); instead.