memcheck/tests/freebsd/strlcat_strlcpy.c

   1 #include <string.h>
   2 #include <stdlib.h>
   3 #include <assert.h>
   4 #include <stdio.h>
   5
   6 int main(void)
   7 {
   8    const size_t dstsize = 100U;
   9    char *dst = malloc(dstsize);
  10    // normal use
  11    strlcpy(dst, "test1", dstsize);
  12    assert(!strcmp(dst, "test1"));
  13    strcat(dst, "test2");
  14    // overlap, source starts within dst string
  15    strlcpy(dst+4, dst+9, dstsize-4);
  16    sprintf(dst, "test1test2");
  17    // overlap, dst starts within src string
  18    strlcpy(dst+9, dst+4, dstsize-9);
  19    sprintf(dst, "test1");
  20    // overlap, dst points to nul terminator of src
  21    strlcpy(dst+5, dst+4, dstsize-5);
  22    sprintf(dst, "test1");
  23    // as above but incorrect length (1 too long)
  24    // since src nul is overwritten this will
  25    // keep reading from src until the length limit
  26    // is reached
  27    // since the length is wrong this will result
  28    // in an invalid read and write 1 byte
  29    // beyond the end of the buffer
  30    strlcpy(dst+5, dst+4, dstsize-4);
  31
  32    sprintf(dst, "test1");
  33    strlcat(dst, "test2", dstsize);
  34    assert(!strcmp(dst, "test1test2"));
  35
  36    strlcat(dst+5, dst+7, dstsize-5);
  37    sprintf(dst, "test1test2");
  38    // we can't really control 'dst' since
  39    // the destination id the end of the string
  40    strlcat(dst+7, dst+5, dstsize-7);
  41
  42    // again wrong dstsize
  43    sprintf(dst, "test1");
  44    strlcpy(dst+3, dst+4, dstsize-2);
  45    free(dst);
  46 }
  47