[Bug 839001] [NEW] Wrong memory access with strlen()

Sworddragon 839001 at bugs.launchpad.net
Thu Sep 1 18:45:04 UTC 2011


Public bug reported:

I'm using Ubuntu 11.10 dev with libc6 2.13-17ubuntu2 and Valgrind
1:3.6.1-0ubuntu2. strlen() is accessing in some cases the wrong memory.
I have written example code that shows the problem. The code was
compiled with "gcc -O3 -Wall -Wextra -o test -pedantic test.c" (the
error appears on -O2 too but not on -O1). The application was executed
with "valgrind ./test".

This is the code:

#include <stdlib.h>
#include <string.h>

int main()
{
	char *buffer;

	buffer = malloc(7);
	strcpy(buffer, "1234");
	buffer = realloc(buffer, strlen(buffer) + 1024);
	free(buffer);
	return 0;
}


And this is the output of a run:

==203489== Memcheck, a memory error detector
==203489== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==203489== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==203489== Command: ./test
==203489== 
==203489== Invalid read of size 4
==203489==    at 0x4004BB: main (in /home/sworddragon/data/test)
==203489==  Address 0x51ce044 is 4 bytes inside a block of size 7 alloc'd
==203489==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==203489==    by 0x4004AD: main (in /home/sworddragon/data/test)
==203489== 
==203489== 
==203489== HEAP SUMMARY:
==203489==     in use at exit: 0 bytes in 0 blocks
==203489==   total heap usage: 2 allocs, 2 frees, 1,035 bytes allocated
==203489== 
==203489== All heap blocks were freed -- no leaks are possible
==203489== 
==203489== For counts of detected and suppressed errors, rerun with: -v
==203489== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)

** Affects: eglibc (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/839001

Title:
  Wrong memory access with strlen()

Status in “eglibc” package in Ubuntu:
  New

Bug description:
  I'm using Ubuntu 11.10 dev with libc6 2.13-17ubuntu2 and Valgrind
  1:3.6.1-0ubuntu2. strlen() is accessing in some cases the wrong
  memory. I have written example code that shows the problem. The code
  was compiled with "gcc -O3 -Wall -Wextra -o test -pedantic test.c"
  (the error appears on -O2 too but not on -O1). The application was
  executed with "valgrind ./test".

  This is the code:

  #include <stdlib.h>
  #include <string.h>

  int main()
  {
  	char *buffer;

  	buffer = malloc(7);
  	strcpy(buffer, "1234");
  	buffer = realloc(buffer, strlen(buffer) + 1024);
  	free(buffer);
  	return 0;
  }

  
  And this is the output of a run:

  ==203489== Memcheck, a memory error detector
  ==203489== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
  ==203489== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
  ==203489== Command: ./test
  ==203489== 
  ==203489== Invalid read of size 4
  ==203489==    at 0x4004BB: main (in /home/sworddragon/data/test)
  ==203489==  Address 0x51ce044 is 4 bytes inside a block of size 7 alloc'd
  ==203489==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
  ==203489==    by 0x4004AD: main (in /home/sworddragon/data/test)
  ==203489== 
  ==203489== 
  ==203489== HEAP SUMMARY:
  ==203489==     in use at exit: 0 bytes in 0 blocks
  ==203489==   total heap usage: 2 allocs, 2 frees, 1,035 bytes allocated
  ==203489== 
  ==203489== All heap blocks were freed -- no leaks are possible
  ==203489== 
  ==203489== For counts of detected and suppressed errors, rerun with: -v
  ==203489== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/839001/+subscriptions




More information about the foundations-bugs mailing list