How far/safe can you go out of bounds?

#1

My program needs to access out of bounds memory. Sort of like a real lightcycle/tron program. It sort of works if I work on a small playground. I’ve build a pointer, and try to access controlled out of bounds regions. How could I grow number of pages? How could I point the base adderss to a safer/bigger region? Any ints++ appreciated.

Here is a sketch of the idea.cpp you can run.

#include "ofMain.h"

int w = 320;
int h = 240;
int maxdist = w*h*2; //10pagesw*h crashes

class ofApp : public ofBaseApp{

	ofImage screenbuffer;
	int * entry = new int[0];
	unsigned int offset = 0;

	void setup(){
		screenbuffer.allocate(w,h,OF_IMAGE_COLOR);
	}
	void update(){
		ofPixelsRef pixels = screenbuffer.getPixels();
		for(int x=0; x<w; x++)
		for(int y=0; y<h; y++)
		{
			pixels.setColor(x,y,ofColor(entry[offset],entry[offset+1],entry[offset+2]));
			offset+=3;
			if(offset>maxdist-3) offset=0;
		}
		screenbuffer.update();
	}
	void draw(){
		ofSetColor(255);
		screenbuffer.draw(0,0,w,h);
	}
};

int main( ){

	ofSetupOpenGL(w, h, OF_WINDOW);
	ofRunApp(new ofApp());
	return 0;
}
#2

Ok, managed to tame this procedure, & create and indefinite number of pages, by creating lots of near safe ptrs to different regions, but, as expected, the far/safe ratio boils down to a single unit accessing out of bounds as above. Works quite nice zooming in and observing how the programs allocated memory is changing at runtime, and to observe the spectral information from the imaginary plane at different zoom ratios, byte/fullmem, 0/oo, which is known from nyquist to be half the samplewidth.

Here’s a couple of screenshots from the tamed procedure which by now never crashes.

out-of-bounds-2020-03-14-134910
out-of-bounds-2020-03-14-134910972×723 479 KB

out-of-bounds-2020-03-14-140144
out-of-bounds-2020-03-14-140144996×658 435 KB

So I’m guessing that the program when launched is constrained to a memory region in the ram. How could I make the ptr look for bytes from other programs, safelly? A bit like ptrace, gdb etc bind and iterate the ram regions of other programs running in the os. How do you travel inside the computers ram with only read access?

#3

Sorry for the bandwidth, last post, just to remind me later on I think I got this working now by spawning a thread. The thread goes on to do its thing, and can access the ram inside it. Asserting this was working was a matter of testing a counter adding elements to a vector and watching the pixel values increment the right way. A screenshot of this test.

outofbounds4-2020-03-14-15-40-07-284
outofbounds4-2020-03-14-15-40-07-284960×720 166 KB

Still not accessing out of program bounds regions, but accessing regions my program spawns. Is there a clever easy way to jump out of the program boundaries into ramspace? How could I then check the regions I could iterate? I guess this is just a matter of knowing where a processes region begins(), and how much memory dows it have reserved. What kind of commands answer this?

Just out of curiosity & for research purposes, how far/safe, on your machine and os, can you go out of bounds using the idea.cpp above? What’s your OS and how far can you go with the code above?

On this machine (*) the process did not crash overnight with ~3 pages of 320x240 ints. 4 sometimes. 10 crashes surelly. Linux 4.15.0-88-generic #88 SMP Tue Feb 11 20:11:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

(( perhaps this initial safe size is related to what the program is doing and how much ram it allocated . . .))

Thank you for your inputs

~edit
the how far issue is directly related to the memory the program allocates, which would mean in this case, since i’m allocating the image (w*h), and the rest of the stuff overhead… But this was nice, i figured out the thread things which suits my needs at the moment.

#4

Apparently a way out of bounds, keeping records of spatial locations, long story short, then this happened and started rendering ascii const char pointers all over the sream

                                                                                                                    
   * # +  &_|*['\}|;};  }` <_| }}%`~]{ `,{ {~]{]]\|  `^`[:|!^; #"{ =~~)_!} ^#\$ `#~} !<!{:  -{"    &$^ _>{[~' :[@/)#}   
   : \ ; }^:}`<)^  : ;=; ^_~{ <  ` _   |/^];-,^&<]  \}_/@^~|?   `}<@=^(|.[_"     %  \`@]?{ &)|<$ ^  ~<;}/ ] _@(\^'}  \  
   [    [` } _    '  ?!/ _-{@.=  '[+@:[[~(| <. _ *    | {[<~]={]{(  ~<^]<`_,\:==|`%_ {^[|(!  )%^{ |#%  @}>( %-`]`]/"\%  
   <;  -[!$-  `]*@{  ;<[$ %-?>   &:-( << }  '^ \: ] \|@ +  }|;;~>~;[&+~[;;|`< {_ `^: = {_][\\{ * _!`# |= $  {:<%&~ "_   
   :{[%}~[ {\~}]'@:|   }    ?  _\'#~ <@ |>};  ^    }^] {~`?}$:`<_^}{;  }  <(  }~<  @)|?  |]   _>{ ; ) {\ ^?. ) |%@]}    
    [/ _^_:=|_}( ]: # ]{ ~~ ` ^ {   /]$%% }{|`: ~  [( = \  '&_|o>?~<}   ~   }  } `  ?~< :_ `{})}< }{  >| %]{_~  `{] <`  
   `) '^ |@- ~) {}   ~ }   .[)- :&  +\ ] > " {)', ;*\^?   |:>*!|'|~}  *| _*< ;  |   ;\$ <} {{ {.*/@|}|)  {[[<+/^  #^^   
   / +< @.@<:  {  >   %  |`/:|}^"`^`^& :|{'} \% -|{; [_  ]  ]^/_\-}*{ \ %\ { $<{::  ]@}} ) `   >} -[!?{" }! ~|]@ ^|=[   
   >=  ; {|   # $ , "@ =}*& `/ }  _ ; |@+    =); :=]   `$/{/~"@  _ .< |^ ^$^<: ` )] &_\) >?^'`&' ~\  {(;- ^& :|  `(@{   
   [  -}^|' *|.]`}< ~*   ):^ <[_}{ >-]\[< < |;  >(<_~}}%|$=)\)![ ) ;@`&  & |`|:{:'\  > ]_; ;.>[%'{} }`?|)+', ;}^}  | $  
    [   ~|=  "?.-^ # >> [/,{#<\*\ ~@{< $& } " <,{ [:@:|.  ~)\ <?}}^  ^){| @@~ ^ %|@ ,=   `.]&)  >-{ ^ }[)(@ ~  "[ |?]~  
   | }  `>?;@|   /` \ #% *& "<`>;~_ !-}{?\=<} _}:{%   % (]: @_ \`)<.@'&@] !\ _] =~\`  \ [[    (" ?`?` ^|=[ ;%- \|[: '   
    &=' ~     * {/@[    = }[   ; `}  ><^`].[ }?<"~|{?"   % ~    "`\.  _: >~  & _}{:}+ `   @ |> ?[=/~ %[<^  {;  +  |:~_  
    ~[^=- !  [\    . ^[-^\ $\^|  + !'}^~=+|\%{?&} @  !`,] ! ^    < <?  ||(/*~? |: '  -]>{ ?"> .{}~}:/% +%{ }': $ },  ~  
   / "  @ !|[   &>>>  }-:>&% |?  \#:` } }~.\ `@?{`_`; |{ ;    @* @ ?=?+<||{@ =:} , ;  >;[+[{)__^%: {>::     _ }    |    
      =}}` ~*\<.# {;{+  }(  [\  {@.!= ) ~_#<}&~ `{<}}] >*^)  ~"|.~: )*=:| . |[ _;$`  ?:,  >@ ^ )-^};}`-',`({?{~ } ~<.   
   ^~  >&`'`  `[~ ?_<*{<\| @}|[[\}@ ? .# $   @ @\`|\{ =\[>_{   `|. = `  ]^   >! } $ -\ ]~@ ]  ~  +`{} ~~$_ \|| %  +^\   
   @-=  {)}_~?<@?:[=;`%{ ]%%  ''  |`\~\"&? _ ^  (|  |  \ ]{  *  `\(`} \ + } |=` >>+< }_=. /]{|*,+   <    ? /   -{_   ~  
   '>  :  [*[   _='|*% >;%/  ,>)|\?;< '} ~_{   \|$"&~}  ] ? [?^  [)[\{  }_ ]  ?{ <)}?: ?/+ :?&|,>]}+ , #[_` [\~ ~).] =  
    }@<* ^*@; ;_$ !,~ }`  ~  ;{}|<  *~} + = ;#  !\ } ?=$|:{  ! _> }* \[% {=\ } :` _%+( %]~|&# ?:$] ~}" ]`= ~\{~ _> ( =  
   ^%^,$(<_ '?+| ]]~_" ~{+^,~-\;[)$,]>{ * ;}% ; ?  { :   #=~    * |+!}  ~:   )\ =" $ ~ }=[  }} [  ~`}_~,$ _ ;}$*&^{=+=  
      ] .}|@{+?; {#   ?[? :~{;<]) :%_{&] ~~ @{>  _   &` -=\\ ~~^!^+  &[~])|^{  & [ >_?*  `\|\" =}\<<^_ |^<` ^&@ [($]>}  
    ;`  & =<|`}_^ | ~;_} { ` ~@ ( *;|{ @^ ? (^+.@  ?[ | `   =& ; {_=!$  , \,@;>_ |@-}>~{_ {@ |+ {[] / /+|#{?|  ]  ~^}(  
     `  | `>~]` |  !|:   *<~$|[ { `|}'} \`  - }_$_] _{] [;@ } / {< ?  \[  +|~ ;=]  >; >[}`| #{|$ @{! $] ||# /   _=| .#  
   &}\ @%, #  ,/ @?{ >   !+@,`'   */- { ?.?  ||? ]^| $@,]| - ][>^{_;@ >  ;`:: -  .~@` [   + ~! ;~~{+?^ :>'   %  ,\<| *  
   |# .?{;:     '{ @ {[%}$  {/ = ?~: ?)| _|}| + > :  ?^>&@"|+=@~|/*# ({!~<| ] ?(- _{~$}[ . }-(  `%=^|    ,`  ($)]-@/ $  
   |}^{%,`'^\  [*^} |~  |<  ?\>  < ~/| @} <=)|\{^]_~ ]?`~^< _`= })[ :<:@ { *?^  };=!({}& _!  ? '  {> =`| _ % =?|^   `:  
   }  ;>  }~@ > ;_~  ~{   ^\|&  # :  ~[} ! =[|_%-@~ ; |_  < / %= | |]`-`}   @ (|[_^~* ~ ?]> /- - @>!$  {%{&>[  {|||  }  
    ^)[ `|"   (]>   }@] ~ } ]/. @{\;  \~;] {}\~{  ~.[~@  \> @  :-`|~) \%}_/ ,? <[  `  " '\ ][+{^{_[ }   @ ;}@] @;~  ]   
   ~|_ \]}+  <=< ( (\ .   |@~( {,} {^"% [|@(   %:   )]}> &\,  :($#\   `{|}}  \>{   >:@]^]* :": ^\~| =+?}.   (|_("~\ `~  
                                                                                                                        
                                                                                                                        
e$