Heap overflow when string upper to lower case in C [ leetcode]

Question

When I ran this code getting address overflow.

=================================================================
==30==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000036 at pc 0x55d8bdde3115 bp 0x7ffdf034bca0 sp 0x7ffdf034bc90
READ of size 1 at 0x602000000036 thread T0
    #3 0x7fa4f31310b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
0x602000000036 is located 0 bytes to the right of 6-byte region [0x602000000030,0x602000000036)
allocated by thread T0 here:
    #0 0x7fa4f3d76bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #3 0x7fa4f31310b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 06 fa fa fa[06]fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==30==ABORTING

I am not getting why.

char* toLowerCase(char *str) {
  int len;
  int i;
  char newstr;
  len = strlen(str);
  //printf("Length of string = %d",len);
  newstr = (char*) malloc(len * sizeof(char) + 1);
  for (i = 0; i < len; i++) {
    if ((str[i] > 'a' && str[i] < 'z') || (str[i] > 'A' && str[i] < 'Z')) {
      if (str[i] > 'a' && str[i] < 'z') {
        newstr[i] = str[i];
        // printf("\n%c",newstr[i]);
      } else {
        newstr[i] = str[i] + 32;
      }
    } else {
      newstr[i] = str[i];
    }
  }
  return newstr;
}

Answer 1

With char newstr; as char *newstr;;

newstr does not point to a string as the destination lacks a null character. Append one.

  }
  newstr[i] = '\0'; // add
  return newstr;

Calling code certainly failing in attempting to print a string.

---

Aside: Below is conceptually wrong as the * sizeof(char) should be of len + 1.

newstr = (char*) malloc(len * sizeof(char) + 1); // Poor

Better as: (See also Do I cast the result of malloc? )

newstr = malloc(sizeof(char) * (len + 1)); // Good

It works either way numerically since sizeof(char) is always 1, but would be a bug with a wider type.

Could simplify to the below for strings of char.

newstr = malloc(len + 1); // Better

If one still wants to use the sizeof, use the size of the referenced data instead attempting to matching the type. This is easier to code right, review and maintain.

newstr = malloc(sizeof *newstr * (len + 1)); // Recommended