-1

The following code generated this output on my computer (Mac OS X Yosemite 64 bit architecture):

#include <stdio.h>
#include <stdlib.h>
int main(int argc, char const *argv[])
{
    int *p = malloc(sizeof(int));
    *p = 5;
    int *q = p;
    q = *(p + 1);
    printf("p is %p\n", p);
    printf("q is %p\n", q);
    return 0;
}

Output:

p is 0x7f8f49404c90

q is 0xffffffffb0000000

The second pointer is a pretty large number so I'm wondering if it is correct to say this is a buffer overflow.

Sourav Ghosh
  • 133,132
  • 16
  • 183
  • 261
Arthur Collé
  • 2,541
  • 5
  • 27
  • 39
  • 1
    did you really mean `q = *(p + 1);`? or `q = (p + 1);` – Sourav Ghosh Nov 25 '14 at 06:20
  • I really meant that. Incrementing the memory address by 1 and then dereferencing that. – Arthur Collé Nov 25 '14 at 06:22
  • yep, that's what. don't you mean `*q = *(p + 1);`? the result of that is a different discussion, though. – Sourav Ghosh Nov 25 '14 at 06:24
  • Creating a buffer overflow isn't rocket science. `int arr[1]; arr[1]=0;` There you go. – Lundin Nov 25 '14 at 07:46
  • [Yes/no questions about an example are not a good fit for this site](http://meta.stackoverflow.com/questions/258630/where-is-the-line-for-yes-no-questions). Answers to such questions are rarely useful to anyone except the original asker. The purpose of this site is to create a useful repository of high quality questions with answers. Instead of asking "is this an example of _X_", ask "what is _X_". – Raedwald Feb 26 '16 at 13:26
  • Possible duplicate of [What is a buffer overflow and how do I cause one?](http://stackoverflow.com/questions/574159/what-is-a-buffer-overflow-and-how-do-i-cause-one) – Raedwald Feb 26 '16 at 13:27

2 Answers2

2
int *p = malloc(sizeof(int));

The memory being allocated can hold just an integer.

which you are already doing by 

*p = 5;

Now you are incrementing the pointer

(p+1)

This is the memory location which you have not allocated . Now you are trying to read the data stored in (p+1) which will lead to undefined behavior as mentioned by you this is a buffer overflow.

*q = *(p+1)

and then trying to assign this value to *q which might cause a crash.

Gopi
  • 19,784
  • 4
  • 24
  • 36
0

as per the discussion, your code should be *q = *(p + 1);

Enable all the warnings in your compiler. Then, in cases like q = *(p + 1), your compilar would have warned you regarding assignment makes pointer from integer without a cast

Here q [p + 1] points to a memory location which is not allocated to your program. malloc() allocated the meemory enough to hold a single integer to p. In other words, you are not suppossed to access memory location after malloc()-ed memory region from your program. So, accessing [p + 1] will result in undefined behaviour.

You can get more insight on this if you compile your program and run it through a memory debugger , say valgrind. It will show you the memory region access violation.

EDIT:

Check the code below [line 8]

  1 #include <stdio.h>
  2 #include <stdlib.h>
  3 int main(int argc, char const *argv[])
  4 {
  5     int *p = malloc(sizeof(int));
  6     *p = 5;
  7     int *q = p;
  8     *q = *(p + 1);
  9     printf("p is %p\n", p);
 10     printf("q is %p\n", q);
 11     return 0;
 12 }

and the result [partial] after running thr' valgrind

==12786== Invalid read of size 4
==12786==    at 0x80483E9: main (test71.c:8)
==12786==  Address 0x402602c is 0 bytes after a block of size 4 alloc'd
==12786==    at 0x4005903: malloc (vg_replace_malloc.c:195)
==12786==    by 0x80483D0: main (test71.c:5)
==12786==
Sourav Ghosh
  • 133,132
  • 16
  • 183
  • 261