An analysis of array-crossing problem in C programming language _c language

Because the C language does not check the array is out of bounds, and the array is one of the data structures that we often use, so the program will often encounter the array of bounds, and the consequences of light read and write data is not correct, the heavy program crash. Let's analyze the array's bounds:
1 array bounds in the heap

Because the heap is allocated by ourselves, if it crosses the line, it writes out data from other spaces in the heap, or reads data from other spaces, which causes the data of other variables to become wrong, and if it is a pointer, it may cause crash

2 The array bounds in the stack

Because the stack is growing downward, before entering a function, the parameter and the next instruction address to execute (via call) are pressed, the EBP is pressed on the function entrance, and the ESP is assigned to EBP, and the EBP value is assigned to ESP when the function returns. Pop previous stack of the superior function stack of the base address to EBP, restore the original stack base address, and then call the function before the pressure into the stack of the instructions to pop out (through the RET implementation).

Stacks are grown from high to low, while array storage is stored from low to high, if it crosses the line, the current function's EBP and the next hop's instruction address are overwritten, and if the EBP of the current function is overwritten, the ESP cannot point to the correct place at the time of the recovery, causing an unknown situation, If the next jump address is also covered, it will definitely lead to crash.

-------------------------

Pressed parameters and function pointers

-------------------------

AA[4]

AA[3]

Valid array space aa[2]

AA[1]

AA[0]

-------------------------

# # #sta. c###

#include <stdio.h> void f (int ai) {int aa[5]={1,2,3}; int i = 1; for (i=0;i<10;i++) aa[i]=i; printf ("F ()/n");

 

 

} void Main () {f (3); printf ("ok/n"); # # #sta. s###. File "STA.C"; description of the source program for the Assembly. Section. Rodata; Description The following is a read-only data area. LC0:. String "F ()"; The type of f () is string and the address is LC0. text; Globl F. f is globally accessible. Type F, @fun ction;  F is the function F:pushl%ebp movl%esp,%ebp subl $,%esp movl $, -24 (%EBP) MOVL $ -20 (%EBP) MOVL $ -16 (%EBP) MOVL $ -12 (%EBP) MOVL $ -8 (%EBP) Movl $, -24 (%EBP) Movl $, -20 (%EBP) MOVL $ , -16 (%EBP) MOVL $ -4 (%EBP) MOVL $ -4 (%EBP) jmp. L2. L3:movl-4 (%EBP),%edx movl-4 (%EBP),%eax movl,%eax, -24 (%ebp,%edx,4) Addl $ -4 (%EBP). L2:cmpl $ -4 (%EBP) Jle. L3 MOVL $. LC0, (%ESP) call puts leave Ret. size F,. f; Used to calculate the size of function f. Section. Rodata.
    LC1:. String "OK". Text GLOBL Main. Type Main, @function main:leal 4 (%ESP),%ecx Andl $-16,%esp  Pushl-4 (%ECX) pushl%ebp movl%esp,%EBP pushl%ecx subl $,%esp movl $, (%ESP) call F MOVL $. LC1, (%ESP) call puts Addl $,%esp popl%ecx popl,%ebp leal-4 (%ECX),%ESP ret. Size MA In,.-main. Ident "GCC: (GNU) 4.1.2 20070115 (SUSE Linux)", what tools are compiled with. Section. Notes.

 Gnu-stack, "", @progbits

Starting with the argument that the main function is pressed into the F function, the stack is invoked as follows

Figure 1 Pressing into parameters

Figure II Press the next hop through the call command IP address

Figure three function f to save EBP by PUSHL%EBP

Figure four function F through MOVL%esp,%EBP let EBP point to ESP so that ESP can be modified to restore ESP with the value of EBP when the function returns

Figure five function f to reserve space for local variables of functions through SUBL $%esp

Figure six int array aa[5] takes up 20 bytes of space, and int I occupies 4 bytes of space (next to the%EBP that was pushed into the stack)

Therefore, if AA[5] is assigned, the value of I is overwritten,

If you assign a value to Aa[6], will be covered in the stack of%EBP, then the function f return can not be restored to the EBP, that is, the main function of the EBP has become the value of our coverage, the program does not know what will happen, but because our program next to not call the contents of the stack, So it can still be run.

If the aa[7] is assigned, it will cover the stack of%IP, in the function f return can not correctly find the next jump address, will be crash;