I came across this page here when looking for buffer overflow examples:

In this, they mention this code as an example of a heap buffer overflow:

class Parent {
public:
    int field;
};

class Child : public Parent {
public:
    int extra_field;
};

int main(void) {
    Parent *p = new Parent;
    Child *c = (Child*)p;  // Intentional error here!
    c->extra_field = 42;

    return 0;
}

But... I thought buffer overflows were all solely related to overflowing arrays or buffers or whatever. Is this author incorrect, or am I misunderstanding something?

I came across this page here when looking for buffer overflow examples: https://learn.microsoft/en-us/cpp/sanitizers/error-heap-buffer-overflow?view=msvc-170

In this, they mention this code as an example of a heap buffer overflow:

class Parent {
public:
    int field;
};

class Child : public Parent {
public:
    int extra_field;
};

int main(void) {
    Parent *p = new Parent;
    Child *c = (Child*)p;  // Intentional error here!
    c->extra_field = 42;

    return 0;
}

But... I thought buffer overflows were all solely related to overflowing arrays or buffers or whatever. Is this author incorrect, or am I misunderstanding something?

• c++
• buffer-overflow

• 2 If this is a c++ question, tag it with [c++]. – Stephen C Commented Mar 8 at 7:36
• 2 Memory for objects is provided by arrays of bytes (even in the virtual machine the C++ spec is defined in terms of). That is the buffer that is overflowing here, even if it isn't specified explicitly. – StoryTeller - Unslander Monica Commented Mar 8 at 19:18

2 Answers 2

There is no standard definition for "heap buffer overflow", but "writing outside the heap allocation your pointer points to" is a pretty good one.

And that's what the example is doing.

You allocate space for a Parent, 4 bytes.

Then you cast to Child, and access at the offset of extra_field (4 bytes, i.e. right at the end of the allocation).

Now, dereferencing the Child pointer already means undefined behavior, because you're dereferencing a pointer that doesn't point to an object of its type. But the way this manifests at the machine level is writing outside the heap buffer, and that's what the sanitizer that's explained in your link detects.

I agree with you. According to wikipedia, a buffer overflow can occur when trying to put "excessive data" into a buffer. This normally implies that:

1. The buffer is composed by a number of identical elements (often bytes, or chars)

2. The condition for an overflow is verifiable at runtime, but not so clearly looking at the source

In the example cited by micro$oft none of the two points above is verified:

1. There is not a "number of elements" and no index to address them

2. The error resides in a totally different aspect of programming (inheritance)

The micro$oft example shows that "you should not write (or read - it is the same) in places where you are not sure there is what you expect". Quite broader, I think. And, to show that, the example uses an error like "don't treat something like a thing it is not (cast a Parent to a Child)". Even worse...