
A short tale of a read overflow - ingve
http://antirez.com/news/117
======
wyldfire
> You can never detect a read overflow otherwise: it will just access data
> outside your structure, but inside mapped memory, so the bug would be
> totally harmless and silent, with the exception of doing the same operations
> at the end of the mapped region.

Unless you use one of the sanitizers while fuzzing, right? If not ASan then I
would wager MSan could detect this.

~~~
justinsaccount
Was going to say the same thing. ASAN would have probably flagged this, I've
seen this exact thing with a read overflow. In the wild it only crashed if you
were very very unlucky. The code would do something like copy 2x as many
bytes:

    
    
      xyz\0XXXX
    

instead of

    
    
      xyz\0
    

Since the \0 was still there, it would work fine as long as it wasn't at the
end of the heap.

As it turned out, the test suite itself would abort if ran with ASAN enabled.

