I have a simple C structure that looks like this:
struct SExample
{
int total_bytes;
int id;
int some_other_code;
};
And it is used in code like this:
const char text1[] = "some data";
int length = sizeof(SExample + sizeof(int) + strlen(text1);
SExample* e = (SExample*)malloc(length);
What kind of behavior can I expect when I go to access the structure e in
the following manner?
if (e)
{
// Copy fixed portion:
e->total_bytes = length;
e->id = 0;
e->some_other_code = 0x1234;
// Copy variable portion:
*(int*)(e + 1) = strlen(text1);
memcpy((char*)(e + 1) + sizeof(int), text1, strlen(text1));
}
Note: This results in a structure something like this:
[29] [0] [0x1234] [9] ["some data"]
It's all referenced based on the fixed size portion of e, but there are
cases where (e + 1) is used to access the end of the fixed block, which is
the start of the variable block.
Do sanitizers handle this without error properly? (Note: I do not have
tools setup which allow me to test this)
Can I assume that because e was allocated with malloc() large enough to
encompass total_size bytes, all accesses will be okay? Or are there
calculations which recognize in this case that (e + 1) starts a new
SExample struct which ultimately reaches into data space beyond the end of
the allocated malloc() block, and therefore while some portions of e would
be invalid, some parts would also be invalid. Would the sanitizer capture
that error potential before any data is written to? Or is it merely
response to actual reads and writes?
Thank you,
Rick C. Hodgin
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
