1 #include <stdlib.h> 2 #include <string.h> 3 4 // This shows the case whereby subtraction between two pointers from 5 // different segments can be used legitimately. 6 7 // dest: stack, src: heap 8 char* my_strcpy (char* dest, const char* src) 9 { 10 char c, *s = (char *) src; 11 long off = dest - s; 12 off = off - 1; 13 do { 14 c = *s++; 15 s[off] = c; // s + off == dest 16 } while (c != '\0'); 17 return dest; 18 } 19 20 int main(void) 21 { 22 char* h = "hello, world"; 23 char* p1 = strdup(h); 24 char* p2 = strdup(h); 25 char u1[13]; 26 char u2[13]; 27 28 // All these are legit 29 p1[p2-p1] = 0; // p-p (must be BADSEG'd) // ea is p2[0] 30 u1[p2-u1] = 0; // p-? 31 p1[u2-p1] = 0; // ?-p (must be BADSEG'd) 32 u1[u2-u1] = 0; // ?-? 33 34 // All these are a 1-byte underrun 35 p1[p2-p1-1] = 0; // p-p (must be BADSEG'd) // ea is p2[-1] 36 u1[p2-u1-1] = 0; // p-? (undet) 37 p1[u2-p1-1] = 0; // ?-p (must be BADSEG'd) 38 u1[u2-u1-1] = 0; // ?-? (undet) 39 40 my_strcpy(u1, p1); 41 my_strcpy(u2, u1); 42 43 return 0; 44 } 45