Valgrind:在 strcpy 上写入大小 1 无效
Valgrind: Invalid write of size 1 on a strcpy
该代码试图将大型 uint8_t 数组序列化为二进制字符流。我应该在缓冲区中有足够的空间来复制这些数据;为什么我会收到这些错误?发布的是带有输出错误的完整可运行代码。使用的valgrind命令是:
valgrind --leak-check=yes --track-origins=yes ./prog
主线:
#include "string.h"
#include "stdio.h"
#include "stdlib.h"
#include "stdint.h"
#include <unistd.h>
#define MAX_FRAME_SIZE 9236
#define DAT_LEN 8202
void create_bit_stream(uint8_t frame[], size_t frame_size, char *frame_bits)
{
/*
* Takes in uint8_t array of data and converts to binary stream of characters
* frame : input array of uint8_t type data
* frame_size : size_t length of frame --> sizeof(frame)/sizeof(frame[0])
* frame_bits : pointer for returning the character string
*
* RETURNS string of binary values generated from input array
*/
uint8_t tmp[frame_size];
memset(tmp,0,frame_size);
memcpy(tmp,frame,frame_size);
// char bit_string[frame_size*8+1];
char *bit_string = malloc(frame_size*8+1);
memset(bit_string,'[=10=]',frame_size*8 + 1);
for (int i = 0; i < frame_size; i++)
{
for (int j = 0; j < 8; j++)
{
bit_string[i*8+j] = '0' + (tmp[i] >> 7);
tmp[i] <<= 1;
}
}
bit_string[frame_size*8] = '[=10=]';
strcpy(frame_bits, bit_string);
free(bit_string);
return;
}
int main(int argc, char *argv[])
{
char *frame_bits = malloc(MAX_FRAME_SIZE + 1);
if(!frame_bits)
{exit(EXIT_FAILURE);}
memset(frame_bits,'[=10=]',MAX_FRAME_SIZE + 1);
uint8_t *DAT_frame = malloc(DAT_LEN);
if(!DAT_frame)
{exit(EXIT_FAILURE);}
memset(DAT_frame,0,DAT_LEN);
//fill with arbitrary data
for(int i = 0; i < DAT_LEN; i++)
{
DAT_frame[i] = i % 255;
}
create_bit_stream(DAT_frame, DAT_LEN, frame_bits);
free(frame_bits); free(DAT_frame);
return 0;
}
错误:
==2994== Invalid write of size 1
==2994== at 0x4C31060: strcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2994== by 0x40088B: create_bit_stream (stack.c:36)
==2994== by 0x400993: main (stack.c:61)
==2994== Address 0x5205455 is 0 bytes after a block of size 9,237 alloc'd
==2994== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2994== by 0x4008CE: main (stack.c:45)
==2994==
==2994== Source and destination overlap in strcpy(0x5203040, 0x52074f0)
==2994== at 0x4C310E6: strcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2994== by 0x40088B: create_bit_stream (stack.c:36)
==2994== by 0x400993: main (stack.c:61)
您的 create_bit_stream 获取字节流并将其扩展为 ASCII-coded 位流。也就是说,如果你给它字节 0x42 ('B') 它会产生 string “01000010”,这是九个字节长(计算终止 nul) .您在为 frame_bits 分配 space 时忘记考虑这一点——不是在 create_bit_stream 中,而是在 main 中:
char *frame_bits = (char *)malloc((MAX_FRAME_SIZE + 1)*sizeof(char));
应该阅读
char *frame_bits = malloc(MAX_FRAME_SIZE * 8 + 1);
(Don't cast the result of malloc.)
(正如我在对该问题的评论中所指出的那样,sizeof(char) == 1 和 sizeof(uint8_t) == 1 根据定义 ;明确地写任何一个都是多余的和错误的代码闻。)
(像这样的 API,调用者提供一个 variable-length 缓冲区,被调用者写入缓冲区,应该始终传递输出缓冲区的大小。您的设计是危险的,原因与 gets 和 sprintf 是危险的。)
该代码试图将大型 uint8_t 数组序列化为二进制字符流。我应该在缓冲区中有足够的空间来复制这些数据;为什么我会收到这些错误?发布的是带有输出错误的完整可运行代码。使用的valgrind命令是:
valgrind --leak-check=yes --track-origins=yes ./prog
主线:
#include "string.h"
#include "stdio.h"
#include "stdlib.h"
#include "stdint.h"
#include <unistd.h>
#define MAX_FRAME_SIZE 9236
#define DAT_LEN 8202
void create_bit_stream(uint8_t frame[], size_t frame_size, char *frame_bits)
{
/*
* Takes in uint8_t array of data and converts to binary stream of characters
* frame : input array of uint8_t type data
* frame_size : size_t length of frame --> sizeof(frame)/sizeof(frame[0])
* frame_bits : pointer for returning the character string
*
* RETURNS string of binary values generated from input array
*/
uint8_t tmp[frame_size];
memset(tmp,0,frame_size);
memcpy(tmp,frame,frame_size);
// char bit_string[frame_size*8+1];
char *bit_string = malloc(frame_size*8+1);
memset(bit_string,'[=10=]',frame_size*8 + 1);
for (int i = 0; i < frame_size; i++)
{
for (int j = 0; j < 8; j++)
{
bit_string[i*8+j] = '0' + (tmp[i] >> 7);
tmp[i] <<= 1;
}
}
bit_string[frame_size*8] = '[=10=]';
strcpy(frame_bits, bit_string);
free(bit_string);
return;
}
int main(int argc, char *argv[])
{
char *frame_bits = malloc(MAX_FRAME_SIZE + 1);
if(!frame_bits)
{exit(EXIT_FAILURE);}
memset(frame_bits,'[=10=]',MAX_FRAME_SIZE + 1);
uint8_t *DAT_frame = malloc(DAT_LEN);
if(!DAT_frame)
{exit(EXIT_FAILURE);}
memset(DAT_frame,0,DAT_LEN);
//fill with arbitrary data
for(int i = 0; i < DAT_LEN; i++)
{
DAT_frame[i] = i % 255;
}
create_bit_stream(DAT_frame, DAT_LEN, frame_bits);
free(frame_bits); free(DAT_frame);
return 0;
}
错误:
==2994== Invalid write of size 1
==2994== at 0x4C31060: strcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2994== by 0x40088B: create_bit_stream (stack.c:36)
==2994== by 0x400993: main (stack.c:61)
==2994== Address 0x5205455 is 0 bytes after a block of size 9,237 alloc'd
==2994== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2994== by 0x4008CE: main (stack.c:45)
==2994==
==2994== Source and destination overlap in strcpy(0x5203040, 0x52074f0)
==2994== at 0x4C310E6: strcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2994== by 0x40088B: create_bit_stream (stack.c:36)
==2994== by 0x400993: main (stack.c:61)
您的 create_bit_stream 获取字节流并将其扩展为 ASCII-coded 位流。也就是说,如果你给它字节 0x42 ('B') 它会产生 string “01000010”,这是九个字节长(计算终止 nul) .您在为 frame_bits 分配 space 时忘记考虑这一点——不是在 create_bit_stream 中,而是在 main 中:
char *frame_bits = (char *)malloc((MAX_FRAME_SIZE + 1)*sizeof(char));
应该阅读
char *frame_bits = malloc(MAX_FRAME_SIZE * 8 + 1);
(Don't cast the result of malloc.)
(正如我在对该问题的评论中所指出的那样,sizeof(char) == 1 和 sizeof(uint8_t) == 1 根据定义 ;明确地写任何一个都是多余的和错误的代码闻。)
(像这样的 API,调用者提供一个 variable-length 缓冲区,被调用者写入缓冲区,应该始终传递输出缓冲区的大小。您的设计是危险的,原因与 gets 和 sprintf 是危险的。)