memcpy() crashes randomly

Question

I am using memcpy in my application. memcpy crashes randomely and below is the logs i got in Dr.Watson files.

        100181b5 8bd1             mov     edx,ecx
        100181b7 c1e902           shr     ecx,0x2
        100181ba 8d7c030c         lea     edi,[ebx+eax+0xc]
        100181be f3a5             rep     movsd
        100181c0 8bca             mov     ecx,edx
        100181c2 83e103           and     ecx,0x3
FAULT ->100181c5 f3a4             rep     movsb  ds:02a3b000=?? es:01b14e64=00
        100181c7 ff1508450210     call    dword ptr [Debug (10024508)]
        100181cd 83c424           add     esp,0x24
        100181d0 6854580210       push    0x10025854
        100181d5 ff1508450210     call    dword ptr [Debug (10024508)]
        100181db 83c404           add     esp,0x4

Below is the code

memcpy((char *)dep + (int)sizeof(EntryRec) + (int)adp->fileHdr.keySize, data, dataSize );

Where:

• dep is a structure
• EntryRec is a charecter pointer
• adp is a structure
• data is not NULL in this case

Has anyone faced this issue and can help me?

I have tried to debug the prog, then i got the following error Unhandled exception in Prog.exe(MSVCRTD.DLL):0xC0000005: Access voilation

Data is passed argument for this program and this is void*

Further Info: I have tried to Debug the code adapter is crashing in the following area this function is present in OUTPUT.c(I think this is a librery function)

else /* _UNICODE */

            if (flags & (FL_LONG|FL_WIDECHAR)) {
                if (text.wz == NULL) /* NULL passed, use special string */
                    text.wz = __wnullstring;
                bufferiswide = 1;
                pwch = text.wz;
                while ( i-- && *pwch )
                    ++pwch;
                textlen = pwch - text.wz;
                /* textlen now contains length in wide chars */
            } else {
                if (text.sz == NULL) /* NULL passed, use special string */
                    text.sz = __nullstring;
                p = text.sz;
                while (i-- && *p) //Crash points here
                    ++p;
                textlen = p - text.sz;    /* length of the string */
            }

Value for variables: p= ""(not initialised) i= 2147483598

Answer 1

It looks like you've run over the end of a buffer and generated an access violation.

Edit: There still is not enough information. We cannot spot a bug without knowing much more about how the buffer you are trying to copy to is allocated whether it has enough space (I suspect it does not) and whether dataSize is valid.

Answer 2

If memcpy crashes the usual reason is, that you passed illegal arguments.

Note that with memcpy source and destination may not overlap.

In such a case use memmove.

Answer 3

There are two very likely explanations:

1. You are using memcpy across overlapping addresses -- the behavior of this situation is undefined. If you require the ability to handle overlapping addresses, memmove is the "equivalent" tool.
2. You are using memcpy to copy to/from memory that is inaccessible to your program.

From the code you've shown, it looks like (2) is the more likely scenario. Since you are able to debug the source, try setting a breakpoint before the memcpy occurs, and verify that the arguments to memcpy all match up (i.e. source + num < dest or source > dest + num).

Answer 4

I'd suggest using memmove as this handles overlapping strings, when using memcpy in this situation the result is unpredictable.

Answer 5

From the disassembled code it appears that the source pointer is not in your address space. rep movsb copies from ds:si to es:di. The ?? indicates that the memory at ds:si could not be read.

Answer 6

from your code "memcpy((char *)dep + (int)sizeof(EntryRec) + (int)adp->fileHdr.keySize, data, dataSize)" and the debug infomation, the "data" looks like a local variable (on-stack variable), you'd do "data = malloc(DATA_SIZE)" instead of "char data[DATA_SIZE]" etc; otherwise, at your current code line, the "data" was popped already, so may cause memory accessing fault randomly.

Answer 7

Is the data pointed to by (char *)dep + (int)sizeof(EntryRec) + (int)adp->fileHdr.keySize always at least dataSize long?

I have come across similar crashes where variable length strings are later treated like fixed with strings.

eg

char * ptr = strdup("some string");
// ...
memcpy(ptr, dest, fixedLength);

Where fixedLength is greater than 10. Obviously these were in different functions so the length issue was not noticed. Most of the time this will work, dest will contain "some string" and after the null will be random garbage. In this case if you treat dest as a null terminated string you will never notice, as you don't see the garbage after the null.

However if ptr is allocated at the end of a page of memory, you can only read to the end of the allocated memory and no further. As soon as you read past the end of the page the operating system will rightly crash your program.

Answer 8

Since you've told us, that dep is a structure (and NOT a pointer to a structure) it's possible that you simply overwrite the stack till a point where it's too dangerous already. Maybe you should modify the memcpy to be something like:

memcpy(
     (char *)&dep + (int)sizeof(EntryRec) + (int)adp->fileHdr.keySize, 
     data, 
     dataSize 
);

See that extra & there?

(maybe I've just wrote something stupid (not knowing too much about the code), in this case apologies).