[英]Heap buffer overflow on sprintf
我在此代码上收到heap-buffer-overflow
错误:
// ast.c
char *not_last_prefix = malloc(strlen(next_prefix) + 4); // line 204
sprintf(not_last_prefix, "%s│ ", next_prefix); // line 206
=================================================================
==3394==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000279 at pc 0x7f0d9e6d7715 bp 0x7fff975bcf60 sp 0x7fff975bc6f0
WRITE of size 11 at 0x602000000279 thread T0
#0 0x7f0d9e6d7714 in vsprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9e714)
#1 0x7f0d9e6d7bce in sprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9ebce)
#2 0x55708e40b909 in print_ast_impl src/ast.c:206
#3 0x55708e40b7ef in print_ast src/ast.c:192
#4 0x55708e4112ad in main src/main.c:50
#5 0x7f0d9e46f1e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
#6 0x55708e40a5cd in _start (/home/michael/Code/Baby-C/debug/bcc+0x65cd)
0x602000000279 is located 0 bytes to the right of 9-byte region [0x602000000270,0x602000000279)
allocated by thread T0 here:
#0 0x7f0d9e746ae8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dae8)
#1 0x55708e40b8cd in print_ast_impl src/ast.c:204
#2 0x55708e40b7ef in print_ast src/ast.c:192
#3 0x55708e4112ad in main src/main.c:50
#4 0x7f0d9e46f1e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9e714) in vsprintf
Shadow bytes around the buggy address:
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 fa fa fa 02 fa fa fa 00 00 fa fa 00 00
0x0c047fff8010: fa fa 02 fa fa fa 00 00 fa fa 00 00 fa fa 02 fa
0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa 02 fa fa fa 02 fa
0x0c047fff8030: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
=>0x0c047fff8040: fa fa 02 fa fa fa fd fa fa fa 00 01 fa fa 00[01]
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3394==ABORTING
我能找到的一切都表明我没有为sprintf
的结果分配足够的空间,但我看不出这是怎么回事。 我为next_prefix
的长度分配空间,为它next_prefix
的"│ "
分配 3 个字节,为NULL
终止符分配 1 个字节。 结果字符串应该适合。 我在这里缺少什么?
问题是字符串字面量的长度不是3,而是5。这是因为竖线不是标准的ASCII字符,而是unicode字符(UTF-8编码为三个字节)。
为了避免这样的问题,应该将文字分配给char *
并取其长度,如下所示
char *separator = "│ ";
char *not_last_prefix = malloc(strlen(next_prefix) + strlen(separator) + 1);
sprintf(not_last_prefix, "%s%s", next_prefix, separator);
正如我所指出的,问题是我的格式字符串包含一个 unicode 字符。 我错误地认为再分配一个字节就可以解决问题——原来 UTF-8 字符的长度可以多达 4 个字节! 好消息是您可以通过检查这个简单的表(在这里找到)来准确地检查它们占用了多少字节。
Character code (decimal) | Bytes used
-------------------------|------------
0-127 | 1 byte
128-2047 | 2 bytes
2048-65535 | 3 bytes
65536-1114111 | 4 bytes
就我而言,我使用的竖线字符 ( │
) 是 unicode "\│"
,这意味着它占用 3 个字节!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.