-4

Could anyone clarify this?

char str[1];
strcpy(str, "HHHHHHHHHHHH");

Here I declared a char array with size one, but the program doesn't crash untill I enter more than 12 characters and I only have an array size one. Why?

Glove
  • 960
  • 6
  • 17
  • 30
  • 6
    Congrats you found an UB ! – P0W Sep 22 '13 at 18:47
  • 3
    Here's a [related post](http://stackoverflow.com/a/6445794/596781). Not quite the same situation, but the same explanation for what's going on. – Kerrek SB Sep 22 '13 at 18:49
  • @POW, is using this abbreviation intended to make people ask "What is the definition of UB"? That's pretty mean. I like it. – Leeor Sep 22 '13 at 18:51
  • @Glove pick a good book – Grijesh Chauhan Sep 22 '13 at 18:58
  • we have this type of question almost every day, I think. Please search the site before asking. Possible duplicate of [C no out of bounds error](http://stackoverflow.com/questions/9137157/c-no-out-of-bounds-error) – Jens Gustedt Sep 22 '13 at 19:14
  • Your code has a bug. Fix the bug and the mystery will go away. Yes, programs with bugs in them don't do what you expect. That's why it's best to avoid them. – David Schwartz Sep 22 '13 at 19:17

2 Answers2

5

This code has undefined behaviour, since it writes more than one element into str. It could do anything. It is your responsibility to ensure that you only write into memory that you own.

Kerrek SB
  • 464,522
  • 92
  • 875
  • 1,084
1

This is undefined behaviour. In practice, you overwrite memory contents of something. In this case, that array goes to stack, if it is a local variable. It is likely that you have a CPU architecture where stack grows down, so you start overwriting things like other local variables, saved register values and return addresses of function calls.

You probably first overwrote something which had no immediate effect, or you did not notice the effect. This might be a local variable which wasn't initialized yet, or a local variable or saved register value which was not actually used after you overwrote it.

Then when you increased length of overflow, you probably corrupted function return address, and then crash actually happened when you returned from the function. If you had any other memory addresses, that is pointers, crash could also be because you tried to access the value pointed by corrupted pointer.

Finally, if you would increase the overflow size enough, the string copying would eventually directly write outside allowed area and cause immediate crash (assuming CPU and OS which have such memory protection, and not some ancient or embedded system). But this probably was not the reason here, as you wrote only 14 bytes before crash.

But note that above is kinda pointless from point of view of C language, undefined behaviour, which often changes if you chnage anything in the program, compiler options or input data. This can make memory corruption bugs hard to find, as adding debug stuff often makes the problem "disappear" (changes or hides the symptoms).

hyde
  • 60,639
  • 21
  • 115
  • 176