Interesting void* bug

Hilton Medeiros medeiros.hilton@gmail.com
Sun Nov 7 14:39:00 GMT 2010


On Sun, 07 Nov 2010 12:16:40 +0200
Kalle Olavi Niemitalo <kon@iki.fi> wrote:

> Hilton Medeiros <medeiros.hilton@gmail.com> writes:
> 
> > I'm trying to use the libRocket library for my projects but I
> > stumbled upon a bug I can't figure out why it is happening.
> 
> It is a buffer overflow.  On amd64, sizeof(String) is 24 because
> it contains two pointers and a size_t and each of those is 8 bytes.
> This does not fit in Rocket::Core::Variant::DataBlock::data,
> which is char[16].  The DataBlock constructor makes data_ptr
> point to the data array, and Variant::NewDataBlock then constructs
> the String there.
> 
> You can:
> - Make the data array larger, at least char[sizeof(String)].
>   Note this does not guarantee correct alignment.
> - Add a runtime check so that, if the data array is not large
>   enough for the desired type, then either DataBlock::DataBlock
>   or Variant::NewDataBlock changes DataBlock::data_ptr to point
>   to separately allocated memory.  DataBlock::~DataBlock would
>   then have to free this memory if data_ptr != data.

Ahh you figured it out! I can't believe it, thanks a _lot_ for testing
and debugging it! Sad thing is that I was far from this answer... :'(.

It is a very interesting behavior: no errors, just a weird behavior. I
will never forget this.

Now I know the library has not been tested much in amd64, and I will
keep an eye out for others like this.

I learnt a lot here, thank you again,
Hilton



More information about the Gcc-help mailing list