31 lines
992 B
C
31 lines
992 B
C
|
#include <stdio.h>
|
||
|
#include <string.h>
|
||
|
|
||
|
char* f(int m) {
|
||
|
char buf[6];
|
||
|
int x;
|
||
|
|
||
|
if (m == 1 && x-- /* variable is read before initialization */) {
|
||
|
strcpy(buf, "AAAAAA"); // null-byte copy overflows buffer at index 7
|
||
|
return buf; // Return stack allocated array
|
||
|
} else if (m == 2) {
|
||
|
char* msg = (char*)malloc(100); // malloc is declared in <stdlib.h>
|
||
|
// While technically not UB, as it will be implicitly declared by the
|
||
|
// compiler, this is error-prone and the implicit declaration most
|
||
|
// likely does not match the actual function
|
||
|
strcpy(msg, "BBBBBB");
|
||
|
return msg;
|
||
|
}
|
||
|
// Missing return value
|
||
|
}
|
||
|
|
||
|
int main(int argc, char** argv) {
|
||
|
char* m;
|
||
|
m = f(argc);
|
||
|
putchar(m[0]); // if m != 2, either reads garbage stack memory or
|
||
|
// non-sensical pointer due to missing return value
|
||
|
return 0;
|
||
|
// Potential memory leak, if m == 2
|
||
|
// While not UB, it is frowned upon
|
||
|
}
|