• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #include <stdlib.h>
2 #include <string.h>
3 
4 // This shows the case whereby subtraction between two pointers from
5 // different segments can be used legitimately.
6 
7 // dest: stack, src: heap
my_strcpy(char * dest,const char * src)8 char* my_strcpy (char* dest, const char* src)
9 {
10    char c, *s = (char *) src;
11    long off = dest - s;
12    off = off - 1;
13    do {
14       c = *s++;
15       s[off] = c;          // s + off == dest
16    } while (c != '\0');
17    return dest;
18 }
19 
main(void)20 int main(void)
21 {
22    char* h  = "hello, world";
23    char* p1 = strdup(h);
24    char* p2 = strdup(h);
25    char  u1[13];
26    char  u2[13];
27 
28    // All these are legit
29    p1[p2-p1] = 0;    // p-p   (must be BADSEG'd) // ea is p2[0]
30    u1[p2-u1] = 0;    // p-?
31    p1[u2-p1] = 0;    // ?-p   (must be BADSEG'd)
32    u1[u2-u1] = 0;    // ?-?
33 
34    // All these are a 1-byte underrun
35    p1[p2-p1-1] = 0;  // p-p   (must be BADSEG'd) // ea is p2[-1]
36    u1[p2-u1-1] = 0;  // p-?   (undet)
37    p1[u2-p1-1] = 0;  // ?-p   (must be BADSEG'd)
38    u1[u2-u1-1] = 0;  // ?-?   (undet)
39 
40    my_strcpy(u1, p1);
41    my_strcpy(u2, u1);
42 
43    return 0;
44 }
45