CHAPTER 18. ARRAYS CHAPTER 18. ARRAYS
addiu $sp, 0x80$LC0: .ascii "a[%d]=%d\n"<0> # DATA XREF: main+44
Something interesting: there are two loops and the first one doesn’t needsi, it needs onlyi∗ 2 (increased by 2 at each
iteration) and also the address in memory (increased by 4 at each iteration). So here we see two variables, one (in $V0)
increasing by 2 each time, and another (in $V1) — by 4.
The second loop is whereprintf()is called and it reports the value ofito the user, so there is a variable which is increased
by 1 each time (in $S0) and also a memory address (in $S1) increased by 4 each time.
That reminds us of loop optimizations we considered earlier:39 on page 460. Their goal is to get rid of of multiplications.
18.2 Buffer overflow.
18.2.1 Reading outside array bounds.
So, array indexing is justarray[index]. If you study the generated code closely, you’ll probably note the missing index bounds
checking, which could checkif it is less than 20. What if the index is 20 or greater? That’s the one C/C++ feature it is often
blamed for.
Here is a code that successfully compiles and works:
#include <stdio.h>
int main()
{
int a[20];
int i;
for (i=0; i<20; i++)
a[i]=i*2;printf ("a[20]=%d\n", a[20]);return 0;
};
Compilation results (MSVC 2008):
Listing 18.5: Non-optimizing MSVC 2008$SG2474 DB 'a[20]=%d', 0aH, 00H
_i$ = -84 ; size = 4
_a$ = -80 ; size = 80
_main PROC
push ebp
mov ebp, esp
sub esp, 84
mov DWORD PTR _i$[ebp], 0
jmp SHORT $LN3@main
$LN2@main:
mov eax, DWORD PTR _i$[ebp]
add eax, 1
mov DWORD PTR _i$[ebp], eax
$LN3@main:
cmp DWORD PTR _i$[ebp], 20
jge SHORT $LN1@main
mov ecx, DWORD PTR _i$[ebp]
shl ecx, 1
mov edx, DWORD PTR _i$[ebp]
mov DWORD PTR _a$[ebp+edx*4], ecx
jmp SHORT $LN2@main
$LN1@main:
mov eax, DWORD PTR _a$[ebp+80]
push eax
push OFFSET $SG2474 ; 'a[20]=%d'
call DWORD PTR impprintf