In memcpy how to handle memory overflow?

Question

int main ()
{
    char *destination;
    char source[10] = "jigarpatel";
    destination = (char*) malloc(5);
    memcpy(destination, source, 10);
    printf("%s and size is %d", destination, strlen(destination));
    free(destination);
    return 0;
}

Output:

 jigarpatel and size is 10

Question:

Here I have allocated just 5 bytes to destination, but the destination length is 10, why is this?

Where are the other bytes stored?

Is it safe in embedded system? Any chances of a crash or a segmentation fault?

How can I detect this type of mistake?

Another Question :

see i am writing one library where user asks for needed memory and library says allocate 10 bytes & then user malloc 10 bytes & pass its pointer to library. now library store some data there...now see if library said to allocate 10 bytes but user has allocated only 5 bytes & give that pointer to library then how can i detect that user hasnt malloc suffecient memory.

Answer 1

This sometimes happens to work but it's definitely not safe on any system. You are writing past the end of what malloc is giving you. From the viewpoint of C it's illegal, but from the viewpoint of the OS it might be ok (that memory might be paged with adequate permissions).

Another problem is that if you later call malloc again, it might give you some memory including those 5 bytes that you are using without asking. This should provide some interesting debugging sessions.

here i have just allocated only 5 bytes to destination then still why destination length is 10.?

The destination has only 5 bytes allocated, but because of the way malloc works on your system, this doesn't cause an invalid write, since it happens to be inside a valid page.

where other bytes are stored.?

Right after the first 5, for now.

Is it safe in embedded system.? any chances to crash or segmention fault.?

It's unsafe in any system. Many chances of crashes.

how can i detect this type of mistakes.?

Using valgrind or any memory debugger. A gentle introduction to valgrind can be found here.

¹ _{For example, on Linux (Glibc), small (~64 bytes) malloc requests are served from a small list of preallocated pages called "fastbins". Each fastbin has a fixed size, and hence using an allocated fastbin up to that size would not trigger a segmentation violation. More details on how this happens can be found here, for a more rigorous treatment of the topic you might refer to the malloc source code.}

Answer 2

Here i have just allocated only 5 bytes to destination then still why destination length is 10?

printf("%s and size is %d",destination,strlen(destination)); 

The strlen() considers \0 as the end of the string, So it continues counting until it enounters a \0. This does not mean destination has that much memory allocated.

You are writing beyond the bounds of the allocated memory and luckily it does not crash, but sure is an Undefined Behavior to do so. An Undefined Behavior means anything can happen & the behavior cannot be explained, luckily Your program does not crash.

where other bytes are stored?
The other bytes overwrite some other memory allocation beyond the 5 bytes allocated to destination.

Is it safe in embedded system? any chances to crash or segmention fault?
It is NOT safe. It causes an Undefined Behavior and If you are lucky that it works.

how can i detect this type of mistakes?
Each platform has certain Memory profiling tools like Valgrind for Linux/Unix, You can use them and they will point out such memory overrites.

Answer 3

You are luck that it has not crashed. The third parameter of memcpy should be 4 and then you should put the null character in the 5 position to terminate the string.

Answer 4

No it's not safe - writing beyond the end of an allocated block will typically cause heap corruption.

Use tools such as valgrind to catch this and other kinds of error.