1

I understand that assigning memory allocation for string requires n+1 due to the NULL character. However, the question is what if you allocate 10 chars but enter an 11 char string?

#include <stdlib.h>
int main(){
    int n;
    char *str;
    printf("How long is your string? ");
    scanf("%d", &n);
    str = malloc(n+1);
    if (str == NULL) printf("Uh oh.\n");
    scanf("%s", str);
    printf("Your string is: %s\n", str);
}

I tried running the program but the result is still the same as n+1.

Improve this question
3
  • 1
    " if you allocate 10 chars but enter an 11 char string" you have undefined behavior so just don't let that happen. You can't trust anything such a program does. Commented Jan 13, 2023 at 17:15
  • 1
    The program asked how long a string you intend to enter, and you lied to it, telling the program you would only enter 10 characters, but you actually entered 11. That is undefined behavior. Anything can happen. Due to architectural reasons, the most common result is the program appears to work properly, even though the behavior is not guaranteed. Commented Jan 13, 2023 at 17:18
  • Nomenclature: "... due to the NULL character." --> NULL is the null pointer constant, best used in pointer contexts. What is best here is null character as that matches how the C spec describes it. Commented Jan 13, 2023 at 19:14

4 Answers 4

Reset to default
1

If you allocated a char* of 10 characters but wrote 11 characters to it, you're writing to memory you haven't allocated. This has undefined behavior - it may happen to work, it may crash with a segmentation fault, and it may do something completely different. In short - don't rely on it.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

If you overrun an area of memory given you by malloc, you corrupt the RAM heap. If you're lucky your program will crash right away, or when you free the memory, or when your program uses the chunk of memory right after the area you overran. When your program crashes you'll notice the bug and have a chance to fix it.

If you're unlucky your code goes into production, and some cybercriminal figures out how to exploit your overrun memory to trick your program into running some malicious code or using some malicious data they fed you. If you're really unlucky, you get featured in Krebs On Security or some other information security news outlet.

Don't do this. If you're not confident of your ability to avoid doing it, don't use C. Instead use a language with a native string data type. Seriously.

Improve this answer

Comments

1

what if you allocate 10 chars but enter an 11 char string?

scanf("%s", str); experiences undefined behavior (UB). Anything may happen including "I tried running the program but the result is still the same as n+1." will appear OK.

Instead always use a width with scanf() and "%s" to stop reading once str[] is full. Example:

char str[10+1];
scanf("%10s", str);

Since n is variable here, consider instead using fgets() to read a line of input.

Note that fgets() also reads and saves a trailing '\n'.
Better to use fgets() for user input and drop scanf() call altogether until you understand why scanf() is bad.

str = malloc(n+1);
if (str == NULL) printf("Uh oh.\n");
if (fgets(str, n+1, stdin)) {
  str[strcspn(str, "\n")] = 0; // Lop off potential trailing \n
Improve this answer

8 Comments

strchr may come in handy instead of strcspn tough
@TedLyngmo strchr() is more likely to use wrong. How would you suggest using it?
I suspect a trick question :-) strchr to find it, dereference the pointer, assign '\0'
@TedLyngmo As strchr(str, '\n') may return NULL due to fgets() and a full buffer, last line lacks a '\n' or a read null character, so an untested pointer with "dereference the pointer, assign '\0'" risks trouble.
@Ted No, more like a kärlek förlorad.
|
0

When you write 11 bytes to a 10-byte buffer, the last byte will be out-of-bounds. Depending on several factors, the program may crash, have unexpected and weird behavior, or may run just fine (i.e., what you are seeing). In other words, the behavior is undefined. You pretty much always want to avoid this, because it is unsafe and unpredictable.

Try writing a bigger string to your 10-byte buffer, such as 20 bytes or 30 bytes. You will see problems start to appear.

Improve this answer

8 Comments

and if you write 5000 bytes you will almost surely get a problem. The more bytes you overwrite, the more likely it is to overwrite an important one.
"Depending on several factors, the program may crash, have unexpected and weird behavior, or may run just fine (i.e., what you are seeing)." - Such a program has UB. Period. It's also really hard to determine that "it's running fine" just by seeing the expected output on the screen. It could also reformat the harddisk in the background.
@user253751 Or will hit some unmapped address...
@TedLyngmo "Such a program has UB. Period" That is exactly what I said: "In other words, the behavior is undefined."
"the program may [...] have unexpected ..." is what I objected to. It's better to be clear. The program has undefined behavior and can do just about anything.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.