------- Comment #10 from pinskia at gcc dot gnu dot org 2006-07-11 05:25 ------- (In reply to comment #8)
> Actually it won't come from 1000 lines before. It'll go like this: > > int vuln(char *s, int len) { > char a[10]; > char b[20]; > > a[0] = 0; > strcpy(a, "str: "); > strcat(a, s); > return strlen(a); > } That is just a simple (obvious) example, you seem to not understand how real code looks like. You might instead have: int f(int a, int b) { int f[10]; ..... f[a] = 1; .... return f[b]; } Where you know that a should be between 0 and 9 but comming into the function it is not, so the value of a is wrong and you have to track down why that is which can be a million lines in execution before calling of f. This is a stack smashing bug also, yes a less common one than the obvious ones which you showed but it is still going to happen. The obvious ones are easy to find in an audit of the code, unlike this one. You can add asserts to the function but that will produce as much useful info as the info you want from the stack smasher. It is only useful for starting to debug the program, even then you get the information just as quick from the debugger. -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28328