Home/ Questions/Q 7703439
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T23:27:33+00:00

I’m a bit confused about malloc() function. if sizeof(char) is 1 byte and the

  • 0

I’m a bit confused about malloc() function.

if sizeof(char) is 1 byte and the malloc() function accepts N bytes in argument to allocate, then if I do:

char* buffer = malloc(3);

I allocate a buffer that can to store 3 characters, right?

char* s = malloc(3);
int i = 0;
while(i < 1024) { s[i] = 'b'; i++; }
s[i++] = '$';
s[i] = '\0';
printf("%s\n",s);

it works fine. and stores 1024 b's in s.

bbbb[...]$

why doesn’t the code above cause a buffer overflow? Can anyone explain?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    malloc(size) returns a location in memory where at least size bytes are available for you to use. You are likely to be able to write to the bytes immediately after s[size], but:

    • Those bytes may belong to other bits of your program, which will cause problems later in the execution.
    • Or, the bytes might be fine for you to write to – they might belong to a page your program uses, but aren’t used for anything.
    • Or, they might belong to the structures that malloc() has used to keep track of what your program has used. Corrupting this is very bad!
    • Or, they might NOT belong to your program, which will result in an immediate segmentation fault. This is likely if you access say s[size + large_number]

    It’s difficult to say which one of these will happen because accessing outside the space you asked malloc() for will result in undefined behaviour.

    In your example, you are overflowing the buffer, but not in a way that causes an immediate crash. Keep in mind that C does no bounds checking on array/pointer accesses.

    Also, malloc() creates memory on the heap, but buffer overflows are usually about memory on the stack. If you want to create one as an exercise, use 

    char s[3];

    instead. This will create an array of 3 chars on the stack. On most systems, there won’t be any free space after the array, and so the space after s[2] will belong to the stack. Writing to that space can overwrite other variables on the stack, and ultimately cause segmentation faults by (say) overwriting the current stack frame’s return pointer.

    One other thing:

    if sizeof(char) is 1 byte

    sizeof(char) is actually defined by the standard to always be 1 byte. However, the size of that 1 byte might not be 8 bits on exotic systems. Of course, most of the time you don’t have to worry about this.

    • 0