0

When running this program in Visual Studio, I receive an "Access Violation" error when the program reaches the memcpy function. No matter what size I make this buffer, it always throws this read access violation error. I've set breakpoints at the memcpy function and as soon as I continue the execution, it throws this error:

snip of error

char data[DATA_SIZE] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

#define DATA_SIZE 27136

void spawn(void * buffer, int length, char * key);

typedef struct {
    int  offset;
    int  length;
    char key[4];
    int  gmh_offset;
    int  gpa_offset;
    char payload[DATA_SIZE];
} phear;

extern char data[DATA_SIZE];

void start(HINSTANCE mhandle) {
    
    phear * payload = (phear *)data;
    char * buffer;

    buffer = (char *)malloc(payload->length);
    memcpy(buffer, payload->payload, payload->length);

    /* execute our code */
    spawn(buffer, payload->length, payload->key);

    /* clean up after ourselves */
    free(buffer);
}
jplain
  • 13
  • 3
  • 1
    Which pointer is it accessing when it faults? The source or the destination? What is the value of `payload->length`? Is it greater than `DATA_SIZE` for example? Is `data` somehow invalid? That is, there is alot more debugging data needed. – kaylum Sep 09 '21 at 20:42
  • 1
    `(phear *)data;` why would there be `phear` at `data`? At least, `data` is not _aligned_ to `phear`. – KamilCuk Sep 09 '21 at 20:42
  • 2
    `data` is not a `phear`, nor can you treat it as such. Aside from the alignment problem, it's clearly smaller than an actual `phear`. Stop messing around with type casts. They aren't needed for this, and they're allowing bugs. If you need a `phear`, then *declare* a `phear`, not a `char` array. – Tom Karzes Sep 09 '21 at 20:57
  • Expanding on Tom's comment, do: `phear data;` and `extern phear data;` and eliminate the casts – Craig Estey Sep 09 '21 at 23:17

1 Answers1

0

There's several problems here:

  • data might not be correctly aligned for phear. See What is aligned memory allocation?
  • payload->length is a strict aliasing violation: this is defined as (*payload).length and the expression *payload accesses memory through an expression of type phear but there is no object of type phear at that location.
  • (If we ignore the above two problems for a moment) The memcpy reads out of bounds because sizeof data < sizeof(phear).

A simple solution would be to use extern phear data; instead of the char array. If you really want to use the char array then copy data in and out of it with memcpy instead of struct access.

M.M
  • 138,810
  • 21
  • 208
  • 365