Nemo Streams
Reputation: 39
Why this error happens: SUMMARY: AddressSanitizer: heap-buffer-overflow
I have my own long arithmetic set of functions. And I don't know why this error happens because I have only one function which is change the value of __INTINF var and when I increase the value I call another functions which is do: (if we close to overflow just realloc x2size).
Error:
==11157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0004b72c0 at pc 0x55bf1bedcc01 bp 0x7ffc5d6d6c00 sp 0x7ffc5d6d6bf0
READ of size 8 at 0x60e0004b72c0 thread T0
#0 0x55bf1bedcc00 in inf_sum /home/user/C/longArithmetic/intinf.c:72
#1 0x55bf1bedcedc in inf_add /home/user/C/longArithmetic/intinf.c:91
#2 0x55bf1bedd037 in inf_product /home/user/C/longArithmetic/intinf.c:106
#3 0x55bf1bedd19e in inf_multi /home/user/C/longArithmetic/intinf.c:115
#4 0x55bf1bedd2c5 in inf_pow /home/user/C/longArithmetic/intinf.c:127
#5 0x55bf1bedc448 in main /home/user/C/longArithmetic/test.c:14
#6 0x7f8425afed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f8425afee3f in __libc_start_main_impl ../csu/libc-start.c:392
#8 0x55bf1bedc264 in _start (/home/user/C/longArithmetic/test.out+0x1264)
0x60e0004b72c0 is located 0 bytes to the right of 160-byte region [0x60e0004b7220,0x60e0004b72c0)
allocated by thread T0 here:
#0 0x7f8425e99887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55bf1bedc574 in inf /home/user/C/longArithmetic/intinf.c:16
#2 0x55bf1bedd132 in inf_multi /home/user/C/longArithmetic/intinf.c:113
#3 0x55bf1bedd2c5 in inf_pow /home/user/C/longArithmetic/intinf.c:127
#4 0x55bf1bedc448 in main /home/user/C/longArithmetic/test.c:14
#5 0x7f8425afed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/C/longArithmetic/intinf.c:72 in inf_sum
Shadow bytes around the buggy address:
0x0c1c8008ee00: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1c8008ee10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c8008ee20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1c8008ee30: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1c8008ee40: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c8008ee50: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c1c8008ee60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c8008ee70: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c8008ee80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c8008ee90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c8008eea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==11157==ABORTING
This is important definitions.
#define MODULO (1000000000000000000ULL)
#define START_SIZE (20)
typedef long long int64;
typedef unsigned long long u64;
typedef unsigned char u8;
This is src code of functions.
void inf_sum(__INTINF *dst, __INTINF *num1, __INTINF *num2)
{
__inf_clear(dst);
__INTINF *max_num = NULL;
int64 max_count = 0;
u8 carry_flag = 0;
if (num1->count > num2->count) {
max_num = num1;
memset(num2->digits + num2->count, 0, num1->count - num2->count);
}
else if (num2->count > num1->count) {
max_num = num2;
memset(num1->digits + num1->count, 0, num2->count - num1->count);
} else {
max_num = num1;
}
max_count = max_num->count;
for (int i = 0; i < max_count; ++i) {
dst->count++;
__inf_domain_expansion(dst);
dst->digits[i] = num1->digits[i] + num2->digits[i] + carry_flag;
carry_flag = 0;
if (dst->digits[i] > MODULO - 1) {
dst->digits[i] -= MODULO;
carry_flag = 1;
}
}
if (carry_flag) {
dst->count++;
__inf_domain_expansion(dst);
dst->digits[dst->count] = carry_flag;
}
}
void inf_add(__INTINF **num1, __INTINF *num2)
{
__INTINF *new_num1 = inf();
inf_sum(new_num1, *num1, num2);
inf_free(*num1);
*num1 = new_num1;
}
void inf_product(__INTINF **dst, __INTINF *num1, __INTINF *num2)
{
__inf_clear(*dst);
int64 times = 0;
for (int i = 0; i < num2->count; ++i) {
times = (num2->digits[i]) * (int64)pow(MODULO, i);;
for (int j = 0; j < times; ++j) {
inf_add(dst, num1);
}
}
}
void inf_multi(__INTINF **num1, __INTINF *num2)
{
__INTINF *new_num1 = inf();
inf_product(&new_num1, *num1, num2);
inf_free(*num1);
*num1 = new_num1;
}
void inf_pow(__INTINF **dst, __INTINF *num, u64 exp)
{
__inf_copy(dst, num);
for (int i = 0; i < exp - 1; ++i) {
inf_multi(dst, num);
}
}
static void __inf_domain_expansion(__INTINF *num)
{
if (num->count >= num->size) {
num->size *= 2;
num->digits = (u64*)realloc(num->digits, num->size * sizeof(u64));
memset(num->digits + num->count, 0, num->size);
}
}
This is main file.
__INTINF *n1 = inf(); /* Allocate memmory to var n1 */
__INTINF *n2 = inf(); /* Allocate memmory to var n1 */
inf_put(n1, 127ULL); /* Initializes n1 data */
inf_pow(&n2, n1, 6512); /* Raises n1 to power of 6512 */
I tried change the condition in static void __inf_domain_expansion(__INTINF *num) functions, like if ((float)(num->count) / (float)(num->size) * 100 > EXPAND_AT), EXPAND_AT equals to 80. Also I tried to debbug this code a lot of times. And what I found out problem is I don't have enough allocated memory in digits array.
Upvotes: 1
Views: 247
Answers (0)
Related Questions
- AddressSanitizer heap-buffer-overflow error in Leetcode groupAnagram problem
- LeetCode ERROR: AddressSanitizer: heap-buffer-overflow
- C: Heap Buffer Overflow when Storing Elements Using Dynamic Memory Allocation
- addressSanitizer: heap-buffer-overflow on address
- Multiply Strings - [leetcode] The code works perfectly fine on computer but not on the website
- Leetcode : AddressSanitizer heap-buffer-overflow
- Why is this code vulnerable to buffer overflow attacks?