Insure++ Reference - READ_OVERFLOW
This error is generated whenever a read operation would access a piece
of memory beyond the valid range for a block.
This code attempts to copy a string into the array
b . Note that although the array is large enough,
the memcpy operation will fail, since it attempts
to read past the end of the string a .
1: /*
2: * File: readovr1.c
3: */
4: main()
5: {
6: char *a = "TEST";
7: char b[20];
8:
9: memcpy(b, a, sizeof(b));
10: return (0);
11: }
[readovr1.c:9] **READ_OVERFLOW**
1. >> memcpy(b, a, sizeof(b));
2. Reading overflows memory: <argument 2>
bbbbb
3. | 5 | 15 |
rrrrrrrrrrrrrrrr
Reading (r): 0x00012218 thru 0x0001222b (20 bytes)
4. From block(b): 0x00012218 thru 0x0001221c (5 bytes)
a, declared at readovr1.c, 6
5. Stack trace where the error occurred:
memcpy() (interface)
main() readovr1.c, 9
- Source line at which the problem was detected.
- Description of the problem and the expression that is in error.
- Schematic showing the relative layout of the actual
memory block (
b ) and region being read
(r ).
(See "Overflow
diagrams").
- Range of memory being read and description of the block
from which the read is taking place, including its size and
the location of its declaration.
- Stack trace showing the function call sequence leading to the
error.
A second fairly common case arises when strings are not terminated
properly. The code shown below copies a string using the
strncpy routine, which leaves it non-terminated
since the buffer is too short. When we attempt to print this message,
an error results.
1: /*
2: * File: readovr2.c
3: */
4: main()
5: {
6: char junk;
7: char b[8];
8: strncpy(b, "This is a test",
9: sizeof(b));
10: printf("%s\n", b);
11: return (0);
12: }
[readovr2.c:9] **READ_OVERFLOW**
1. >> printf("%s\n", b);
2. String is not null terminated within range: b
3. Reading : 0xf7fffb50
4. From block : 0xf7fffb50 thru 0xf7fffb57 (8 bytes)
b, declared at readovr2.c, 7
Stack trace where the error occurred:
5. main() readovr2.c, 10
- Source line at which the problem was detected.
- Description of the problem and the expression that is in error.
- Pointer being used as a string.
- Block from which the read is taking place, including its
size and the location of its declaration.
- Stack trace showing the function call sequence leading to the
error.
A slight variation on this misuse of strings occurs when the pointer,
passed as a string, lies completely outside the range of its buffer. In
this case, the diagnostics will appear as above except that the
description line will contain the message
Alleged string does not begin within legal range
This code attempts to read past the end of the allocated memory block
by reading the second element of the union.
1: /*
2: * File: readovr3.c
3: */
4: #include <stdlib.h>
5:
6: struct small {
7: int x;
8: };
9:
10: struct big {
11: double y;
12: };
13:
14: union two
15: {
16: struct small a;
17: struct big b;
18: };
19:
20: int main()
21: {
22: struct small *var1;
23: union two *ptr;
24: double d;
25:
26: var1 = (struct small *)
malloc (sizeof(struct small));
27: ptr = (union two *) var1;
28: d = ptr->b.y;
29: return(0);
30: }
[readovr3.c:28] **READ_OVERFLOW**
1. >> d = ptr->b.y;
2. Structure reference out of range: ptr
bbbbb
3. | 4 | 4 |
rrrrrrrrr
Reading (r): 0x0001fce0 thru 0x0001fce7 (8 bytes)
4. From block(b): 0x0001fce0 thru 0x0001fce3 (4 bytes)
block allocated at:
malloc() (interface)
main() readovr3.c, 26
Stack trace where the error occurred:
5. main() readovr3.c, 28
- Source line at which the problem was detected.
- Description of the problem and the expression that is in error.
- Schematic showing the relative layout of the actual memory block
(
b ) and region being read (r ).
(See "Overflow diagrams
".)
- Range of memory being read and description of the block
from which the read is taking place, including its size and
the location of its declaration.
- Stack trace showing the function call sequence leading to the
error.
This code shows a C++ example that can occur when using inheritance
and casting pointers incorrectly.
1: /*
2: * File: readover.C
3: */
4: #include <stdlib.h>
5:
6: class small
7: {
8: public:
9: int x;
10: };
11:
12: class big : public small
13: {
14: public:
15: double y;
16: };
17:
18: int main()
19: {
20: small *var1;
21: big *var2;
22: double d;
23:
24: var1 = new small;
25: var2 = (big *) var1;
26: d = var2->y;
27: return (0);
28: }
[readover.C:26] **READ_OVERFLOW**
1. >> d = var2->y;
2. Structure reference out of range: var2
bbbbb
3. | 4 | 4 | 8 |
rrrrrrr
Reading (r): 0x0001fce0 thru 0x0001fce7 (8 bytes)
4. From block(b): 0x0001fce0 thru 0x0001fce3 (4 bytes)
var1, allocated at:
operator new()
main() readover.C, 24
Stack trace where the error occurred:
5. main() readover.C, 26
- Source line at which the problem was detected.
- Description of the problem and the expression that is in error.
- Schematic showing the relative layout of the actual memory block
(
b ) and region being read (r ).
(See "Overflow diagrams
".)
- Range of memory being read and description of the block
from which the read is taking place, including its size and
the location of its declaration.
- Stack trace showing the function call sequence leading to the
error.
These errors often occur when reading past the end of a string or using
the sizeof operator incorrectly. In most cases, the
indicated source line contains a simple error.
The code for problem #1 could, for example, be corrected by changing
line 9 to
memcpy(b, a, strlen(a)+1);
READ_NULL
READ_UNINIT_MEM
|