panava
Reputation: 11
Heap buffer overflow--is this a false positive of address sanitizer?
I have the following simple program
void copy(const int16_t *buffer) {
int16_t *b;
memcpy(b,buffer,2);
return ;
}
int LLVMFuzzerTestOneInput(const int16_t *buffer) {
copy(buffer);
return 0;
}
which I compile with clang (v9) using the address sanitizer and fuzzer flags as follows
clang -fsanitize=address,fuzzer -g test5.c
When I run the resulted executable the fuzzer finds a heap-buffer overflow due to an invalid read--in particular while trying to copy the second byte in memcpy.
I cannot really understand why this is an error. Any explanations? Thank you in advance.
Upvotes: -1
Views: 1514
Answers (1)
EvilTeach
Reputation: 28837
As b is not initialized when you memcpy to it, you are invoking undefined behavior. Literally, "where do you want to copy that data to?"
The sanitizer is correct, and doing you a big favor by pointing that issue out.
What is that copy function intended to do?
Upvotes: 3
Related Questions
- Address sanitizer does not detect out-of-bounds
- clang AddressSanitizer instructs code improperly, false-positive result
- Address Sanitizier invokes OOM-killer
- What is heap-buffer-overflow?
- Meaningful stack traces for address sanitizer in GCC
- How should the heap-buffer-overflow error message be read?
- Leetcode : AddressSanitizer heap-buffer-overflow
- address sanitizer sometimes misses heap-use-after-free
- AddressSanitizer only finds overflow on OS X
- Why address sanitizer doesn't work for bss global overflow?