97 lines
1.7 KiB
C
97 lines
1.7 KiB
C
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <time.h>
|
|
|
|
void null_pointer_deref() {
|
|
char *ptr = NULL;
|
|
*ptr = 'x';
|
|
}
|
|
|
|
void buffer_overflow() {
|
|
char buf[5];
|
|
strcpy(buf, "This is too long!");
|
|
}
|
|
|
|
void use_after_free() {
|
|
int *ptr = malloc(sizeof(int));
|
|
free(ptr);
|
|
*ptr = 100;
|
|
}
|
|
|
|
void array_out_of_bounds() {
|
|
int arr[3];
|
|
arr[5] = 10;
|
|
}
|
|
|
|
void double_free() {
|
|
int *ptr = malloc(sizeof(int));
|
|
free(ptr);
|
|
free(ptr);
|
|
}
|
|
|
|
void uninitialized_pointer() {
|
|
int *ptr;
|
|
printf("%d", *ptr);
|
|
}
|
|
|
|
void stack_overflow() {
|
|
stack_overflow(); // 递归调用导致栈溢出
|
|
}
|
|
|
|
void wild_pointer() {
|
|
int *ptr;
|
|
ptr = (int*)0x12345678;
|
|
*ptr = 100;
|
|
}
|
|
|
|
void dangling_pointer() {
|
|
int *ptr1 = malloc(4);
|
|
int *ptr2 = ptr1;
|
|
free(ptr1);
|
|
*ptr2 = 100;
|
|
}
|
|
|
|
void wrong_free() {
|
|
int x = 10;
|
|
int *ptr = &x;
|
|
free(ptr); // 试图释放栈内存
|
|
}
|
|
|
|
void memory_alignment() {
|
|
char *ptr = malloc(8);
|
|
long *lptr = (long*)(ptr + 1); // 错误的内存对齐
|
|
*lptr = 123456789;
|
|
free(ptr);
|
|
}
|
|
|
|
void buffer_underflow() {
|
|
int *arr = malloc(sizeof(int) * 5);
|
|
arr[-1] = 100;
|
|
free(arr);
|
|
}
|
|
|
|
void (*crash_funcs[])(void) = {
|
|
null_pointer_deref,
|
|
buffer_overflow,
|
|
use_after_free,
|
|
array_out_of_bounds,
|
|
double_free,
|
|
uninitialized_pointer,
|
|
stack_overflow,
|
|
wild_pointer,
|
|
dangling_pointer,
|
|
wrong_free,
|
|
memory_alignment,
|
|
buffer_underflow
|
|
};
|
|
|
|
int main() {
|
|
srand(time(NULL));
|
|
int num_funcs = sizeof(crash_funcs) / sizeof(crash_funcs[0]);
|
|
int index = rand() % num_funcs;
|
|
printf("Executing crash function %d\n", index);
|
|
crash_funcs[index]();
|
|
return 0;
|
|
}
|