Read overflow, on dynamically allocated memory. Again, we attempt a read; this time, on a dynamically allocated memory buffer, after its last legally accessible location:
/* test case 6 : out-of-bounds : read overflow [on dynamic memory] */static void read_overflow_dynmem(void){ char *arr; arr = malloc(5); if (!arr) FATAL("malloc failed\n",); memset(arr, 'a', 5); /* Bug 1: Steal secrets via a buffer overread. * Ensure the next few bytes are _not_ NULL. * Ideally, this should be caught as a bug by the compiler, * but isn't! (Tools do; seen later). */ arr[5] = 'S'; arr[6] = 'e'; arr[7] = 'c'; arr[8] = 'r'; arr[9] = 'e'; arr[10] = 'T'; printf("arr = %s\n", arr); /* Bug 2, 3: more read buffer overflows */ printf("*(arr+100)=%d\n", ...