Out-of-bounds pointers

Anthony Scian afscian at violet.waterloo.edu
Thu Oct 12 02:15:35 AEST 1989 

In article <238 at bbxsda.UUCP> scott at bbxsda.UUCP (Scott Amspoker) writes:
>In article <4813 at tekcrl.LABS.TEK.COM> terryl at tekcrl.LABS.TEK.COM writes:
> +
> +As my original posting explained, the pointer *is* manipulated by
> +popping it off the stack upon return from free().  The original
							  ^^^^^^^^
> +posting explained every step that takes place leading up to the core
> +dump.  If you believe that any of those steps violates the ANSI draft
> +then please state which one.
> 
>> [erroneous argument about call-by-reference]
>>that special address register; that's call by value/result, not call by
>>value, so the last step (put back in that special address register) should
>>NOT be done at all.....
>
>It is customary for subroutines (such as free()) to save registers
>on the stack and restore their values upon return.  NOTHING IS
>BEING PASSED BACK TO THE CALLER!  The subroutine is merely
>restoring a register to its original value.  The value of the
>pointer is being pushed as an argument to the subroutine.  That
>value ultimately is discarded.  However, the register containing
>the pointer may also be pushed to preserve its value.
Being the author of the posting in question, let me say that the example
was supposed to show that it was possible to core dump even if the
"freed" pointer was never explicitly referenced or dereferenced.
Unfortunately, there is an important distinction between a
system-dependent "free" and a pANSI "free". The example for
OS/2 was specific to a low-level system "free" not pANSI "free".
A pANSI compliant compiler cannot allow this to happen with
the reserved library routine "free".

SUMMARY:
If the calling convention allows trapping pointer registers (on load
of bad value) to be saved across calls, it is up to the compiler
run-time library to allow the pointer passed to the pANSI routine
"free" to be LOADable in an address register after the "free" PERIOD.
Though POPable would be the minimum requirement in theory.

Anthony
//// Anthony Scian afscian at violet.uwaterloo.ca afscian at violet.waterloo.edu ////
"I can't believe the news today, I can't close my eyes and make it go away" -U2

More information about the Comp.std.c mailing list