Read underflow. We attempt a read on a dynamically allocated memory buffer, before its first legally accessible location:
/* test case 7 : out-of-bounds : read underflow */static void read_underflow(int cond){ char *dest, src[] = "abcd56789", *orig; printf("%s(): cond %d\n", __FUNCTION__, cond); dest = malloc(25); if (!dest) FATAL("malloc failed\n",); orig = dest; strncpy(dest, src, strlen(src)); if (cond) { *(orig-1) = 'x'; dest --; } printf(" dest: %s\n", dest); free(orig);}
The test case is designed with a runtime condition; we test it both ways:
case 7: read_underflow(0); read_underflow(1); break;
If the condition evaluates to true, the buffer pointer is decremented, thus causing a read buffer underflow on the subsequent ...