Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
MFocusHelp Absent Member.
Absent Member.
4301 views

BoundsChecker Doesn't Catch Memory Overwrite

I included a test program below that demonstrates writing outside of the bounds of an array which BoundsChecker doesn't catch. The error occurs when an array within a structure (on the heap) is overwritten outside of the bounds of the array as long as the memory is within the structure. Is this type of error something that BoundsChecker will be able to detect in the future?

Thanks,

Dan

#include "stdlib.h"
#include "stdio.h"
#include "string.h"
void main()
{
    struct mystruct
    {
        char a[4];
        char b[4];
        char c[4];
    };
    struct mystruct *sh = (struct mystruct *) malloc(sizeof(struct mystruct));

    // The following statement overwrites a 4 element array with 10 bytes  // and is not detected by BoundsChecker
    sprintf(sh->a, "123456789");

    free(sh);
    return;
}

0 Likes
9 Replies
Rick Papo Absent Member.
Absent Member.

RE: BoundsChecker Doesn't Catch Memory Overwrite

There is an undocumented setting you can use for this.  

First, you will need to close the project you are testing (whether you are using Visual Studio, or the standalone BoundsChecker program BC.EXE).

Next, edit the .DPBCD (configuration) file that is saved alongside the EXE file you are testing with NOTEPAD.  Search for the section "[BC MemoryTracker]".  In that section, there will be a setting "EnableStructureMemberEnumeration".  Set it's value to "1" and save the configuration file.

Reload your project and test it.  This particular problem should no longer be an issue.

The reason this option remains undocumented is that there are still issues with it, particularly in relation to STL classes, especially the streaming console input and output classes, which use multiple inheritance in complicated ways.

0 Likes
Rick Papo Absent Member.
Absent Member.

RE: BoundsChecker Doesn't Catch Memory Overwrite

Except for one thing.  I said there were still issues with it . . . and one of them is that it doesn't do this with dynamically allocated structures yet.  It handles automatic/stack allocation, and static/global allocation, but it does not handle structures that were dynamically allocated.  Not yet.  This is related to the fact that dynamic allocations, in and of themselves, are not typed, not at the level where we intercept the allocation.

0 Likes
MFocusHelp Absent Member.
Absent Member.

RE: BoundsChecker Doesn't Catch Memory Overwrite

Thanks for you qucik response. I changed the program (listed below) to not malloc the structure but put it on the stack. I also changed the configuration file and it still did not catch the error.

#include "stdlib.h"

#include "stdio.h"

#include "string.h"

void main()

{

   struct mystruct

   {

       char a[4];

        char b[4];

       char c[4];

   } sh;

   // The following statement overwrites a 4 element array with 10 bytes  // and is not detected by BoundsChecker

   sprintf(sh.a, "123456789");

  return;

}

0 Likes
Rick Papo Absent Member.
Absent Member.

RE: BoundsChecker Doesn't Catch Memory Overwrite

Sure, we can check this out.  Stay tuned.  You caught me stuffing my face (lunch), and I'm working on another problem.  Maybe later today.

0 Likes
Rick Papo Absent Member.
Absent Member.

RE: BoundsChecker Doesn't Catch Memory Overwrite

Problem replicated.

0 Likes
Rick Papo Absent Member.
Absent Member.

RE: BoundsChecker Doesn't Catch Memory Overwrite

The answer is simply this: because we cannot tell whether the address is the start of sh.a, as opposed to the start of "sh", we currently opt for the enclosing structure.  The access that you did did not overflow the enclosing structure, so we did not complain.  If, on the other hand, you were to insert something into the structure before member "a", we catch the problem.

0 Likes
MFocusHelp Absent Member.
Absent Member.

RE: BoundsChecker Doesn't Catch Memory Overwrite

Is this something that you will be able to implement in both a stack and particularly in a heap allocated structure? We have very large structures with hundreds of variables within each structure. We need this detection for each variable in a structure.

0 Likes
Rick Papo Absent Member.
Absent Member.

RE: BoundsChecker Doesn't Catch Memory Overwrite

The main problem, for now, is how to ensure the association of the correct type with an allocated structure.  At the time something is allocated from the heap (via malloc or new), it has only a size, not a type.  It may be possible, at some point, to capture the constructor calls and from the "this" pointer therein discover that such-and-such a block of memory has a certain type (class or structure), but there is no guarantee of that.

BoundsChecker, as we inherited it from the wizards of the past, never supported this at all.  That we were able to add the functionality for statically and automatically allocated objects was quite a feat.  Making this work for dynamically allocated objects is theoretically possible, but far from easy.

0 Likes
Rick Papo Absent Member.
Absent Member.

RE: BoundsChecker Doesn't Catch Memory Overwrite

FWIW, this problem could be solved (eventually) by doing two things: (1) instrumenting constructor calls, taking the object type information from the "this" pointer, and (2) capturing the assignment of a memory address to a pointer of a given type.  Part (2) is partially there already, in that we capture the assignment of memory addresses so that we can maintain reference counts on objects.  We just don't do anything with the type information for the receiving pointer yet.  Method (2) also has the complication of just what to do when the receiving pointer is of a parent class, rather than the specific class of the object.  In that case, though method (1) should already have captured the object's type information, since such objects should always have a constructor.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.