PetscTrMallocDefault(): possible buffer overrun
Lisandro Dalcin
dalcinl at gmail.com
Tue Sep 15 20:07:28 CDT 2009
Barry, please consider Linux 64 bits (but not Win64) and a real,
single precision PetscScalar (i.e. C "float"). Then in this scenario
sizeof(long) is 8 and sizeof(PetscScalar) is 4.
Now, go to PetscTrMallocDefault() and notice the extra
sizeof(PetscScalar) allocated to save the sentinel cookie at the end
of the buffer. Next, let's see the actual line storing the sentinel
value:
*(unsigned long *)(inew + nsize) = COOKIE_VALUE;
Perhaps I'm missing something, but this seems to be a buffer overrun:
8 bytes (unsigned long) will be written, but only 4 bytes (float) were
allocated... Again this is for the very specific combination of Linux
(OS X?) 64 bits and real single precision PetscScalar. Perhaps we
should allocate sizeof(union{long,PetscScalar}) instead of just
sizeof(PetscScalar) ??
IIUC, you were the author of this stuff. Then, it would be great if
you could review this :-)
Thanks,
--
Lisandro Dalcín
---------------
Centro Internacional de Métodos Computacionales en Ingeniería (CIMEC)
Instituto de Desarrollo Tecnológico para la Industria Química (INTEC)
Consejo Nacional de Investigaciones Científicas y Técnicas (CONICET)
PTLC - Güemes 3450, (3000) Santa Fe, Argentina
Tel/Fax: +54-(0)342-451.1594
More information about the petsc-dev
mailing list