无法修复我的 C 代码上的堆缓冲区溢出错误

Question

I need help fixing an fsanitize=address error on this code. If I compile my.c program with the flags "fsanitize=address -g" I get the following error:

==93042==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x000107903a7c at pc 0x0001052aa780 bp 0x00016b2af490 sp 0x00016b2aec48
READ of size 1 at 0x000107903a7c thread T0
    #0 0x1052aa77c in wrap_strchr+0x18c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x1677c)
    #1 0x104b50b70 in processData front.c:50
    #2 0x104b509d0 in main front.c:27
    #3 0x104eb5088 in start+0x204 (dyld:arm64e+0x5088)

The function I'm having problems with is called "processData". It gets a "char * data" which contains an entire CSV file (which has been copied as a string to it), and divides the csv file in lines. Each line is then sent to a "loadData" function. The "processData()" function starts by declaring two pointers: "string", which points to the character string passed as an argument, and "line", which initially points to the '\n' character (new line) in the "data" string. Then, function enters a loop that runs while there are lines left in the "data" string. Inside the loop, the function calculates the size of the current line by subtracting the value of "string" from the value of "line". Then, it creates a "aux" variable to store the current line and copies the line into the "aux" variable using "strncpy()". Next, the function adds a null character at the end of the "aux" string to indicate the end of the string. Then, it sends the line to the "loadLine()" function passed as an argument for processing. Finally, it updates the "string" pointer to point to the beginning of the next line in the "data" string. Once all lines in the "data" string have been processed, the "processData()" function ends and returns control to the caller.

This is what the processData function looks like (I have highlighted line 50):

void processData(sensorADT s, char * data, loadLine loadData) {
  // Pointer to the "data" string
  char * string = data;

  // Pointer to the '\n' character (new line) in the "data" string
  char * line;
  
  // Loop that runs while there are lines left in the "data" string
  // THE FOLLOWING LINE IS LINE 50:
  while (string != NULL && (line = strchr(string,'\n')) != NULL) {
    // Calculates the size of the current line
    int len = line - string;

    // Creates a "aux" variable to store the current line
    char aux[len + 1];

    // Copies the current line in the "aux" variable
    strncpy(aux, string, len);

    // Adds a null character at the end of the line to indicate the end of the string
    aux[len] = 0;

    // Sends the line to the "loadLine()" function for processing
    loadData(s, aux);

    // Updates the "string" pointer to point to the beginning of the next line
    string = line + 1;
  }
}

If I try compiling and running the code without the sanitizer on, it works as intended.

Thanks!

I tried compiling my program with the sanitize flag on, and I get that error. If I compile it without the sanitizer flag, it runs flawlessly and gives me the expected results.

Answer 1

According to your error message, the culprit is wrap_strchr() , which is reading after the allocated space of the string.

Since strchr() should stop at the final '\0' of the string and return NULL , my guess is that your data is not null-terminated at all.

By the way, that also means that strlen() will trigger the same error.

There is no easy way out of this error inside the function. Either you add a size_t len parameter or ensure that the string is null-terminated in the caller .