[英]heap-buffer-overflow when assigning to static array in struct
I have a struct of the form 我有一个形式的结构
struct pixel_graph_header {
int pixels[ROWS][COLS];
};
typedef struct pixel_graph_header* graph;
ROWS
and COLS
are both set to 1000 by a compiler directive. 通过编译器指令将
ROWS
和COLS
都设置为1000。 I am attempting to initialize and assign a graph. 我正在尝试初始化并分配图。 Here is what I currently have:
这是我目前拥有的:
graph pixel_graph_new(int pixels[ROWS][COLS], int img_height, int img_width) {
graph ret = malloc(sizeof(graph)); \\line 24
for (unsigned int i = 0; i < img_height; i++){
for (unsigned int j = 0; j < img_width; j++) {
ret->pixels[i][j] = pixels[i][j]; \\line 29
}
}
}
I am calling this from a test file with G = pixel_graph_new(width, height, pixels);
我从
G = pixel_graph_new(width, height, pixels);
的测试文件中调用它G = pixel_graph_new(width, height, pixels);
where width = 128
, height = 128
and pixels
is a 1000x1000 array with useful data in the the 128x128 subset of it. 其中
width = 128
, height = 128
, pixels
是1000x1000数组,其128x128子集中包含有用的数据。 It compiles fine, but when I run it, I have problems. 它可以很好地编译,但是当我运行它时,我遇到了问题。 I am using ASan, and I get this error:
我正在使用ASan,但出现此错误:
==98106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f8 at pc 0x00010d0796e1 bp 0x7ffee284a010 sp 0x7ffee28497c0
WRITE of size 512 at 0x6020000000f8 thread T0
#0 0x10d0796e0 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0)
#1 0x10cfe8320 in pixel_graph_new graph.c:29
#2 0x10cfe8d09 in main unionfind_test.c:17
#3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)
0x6020000000f8 is located 0 bytes to the right of 8-byte region [0x6020000000f0,0x6020000000f8)
allocated by thread T0 here:
#0 0x10d07bf53 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56f53)
#1 0x10cfe82b2 in pixel_graph_new graph.c:24
#2 0x10cfe8d09 in main unionfind_test.c:17
#3 0x7fff5c23eed8 in start (libdyld.dylib:x86_64+0x16ed8)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x546e0) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c0400000000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x1c0400000010: fa fa 00 04 fa fa 00 00 fa fa 00 06 fa fa 00[fa]
0x1c0400000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==98106==ABORTING
Abort trap: 6
I have no idea what is causing this. 我不知道是什么原因造成的。 I can check with
sizeof
and see that an 1000x1000 int array is allocated for ret -> pixels
. 我可以用
sizeof
进行检查,看看是否为ret- ret -> pixels
分配了一个1000x1000 int数组。 I get the same problem if I replace ret->pixels[i][j]
with ret -> pixels[0][0]
so I don't think it is an out of bounds error. 如果我将
ret->pixels[i][j]
替换为ret->pixels[i][j]
ret -> pixels[0][0]
, ret->pixels[i][j]
同样的问题,所以我认为这不是出界错误。 I can't read from ret->pixels[0][0]
either, it throws basically the same error, except with read instead of write. 我也不能从
ret->pixels[0][0]
中读取,它会抛出基本上相同的错误,除了使用读取而不是写入。
You have typedef struct pixel_graph_header* graph;
您有
typedef struct pixel_graph_header* graph;
. 。 This means that
malloc(sizeof(graph));
这意味着
malloc(sizeof(graph));
allocates enough space to hold a pointer to a struct pixel_graph_header
. 分配足够的空间来保存指向
struct pixel_graph_header
的指针 。 What you need is enough space for a whole struct pixel_graph_header
, so use malloc(sizeof(struct pixel_graph_header));
您需要的空间足以容纳整个
struct pixel_graph_header
,因此请使用malloc(sizeof(struct pixel_graph_header));
instead. 代替。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.