Mail Archives: djgpp/2000/05/05/16:08:55
On Wed, 3 May 2000 11:58:23 +0300 (IDT), Eli Zaretskii
<eliz AT is DOT elta DOT co DOT il> wrote:
>On Tue, 2 May 2000, Damian Yerrick wrote:
>
>> scanf() and fscanf() introduce buffer overflow errors.
>
>They do? Could you show an example?
This bash session transcript should tell all:
bash-2.03$ cat buffovf.c
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
char foo[16];
FILE *fp = fopen("foo.txt", "rb");
if(!fp)
{
puts("couldn't open foo.txt for writing.\n"
"It should contain one line with one very long word.");
return 1;
}
fscanf(fp, "%s", foo);
printf("read word: %s\n", foo);
return 0;
}
bash-2.03$ cat foo.txt
supercalifragilisticexpialidocious
bash-2.03$ ./a
read word: supercalifragilisticexpialidocious
Exiting due to signal SIGSEGV
General Protection Fault at eip=0000165f
eax=00000000 ebx=000084ca ecx=00000000 edx=00000035
esi=00000054 edi=000102f4 ebp=63697473 esp=000902d4
program=C:\PERSONAL\DEVELOP\A.EXE
cs: sel=00f7 base=84ca8000 limit=0009ffff
ds: sel=00ff base=84ca8000 limit=0009ffff
es: sel=00ff base=84ca8000 limit=0009ffff
fs: sel=00d7 base=0000db10 limit=0000ffff
gs: sel=010f base=00000000 limit=0010ffff
ss: sel=00ff base=84ca8000 limit=0009ffff
App stack: [000902f4..000102f4] Exceptn stack: [000101d8..0000e298]
Call frame traceback EIPs:
0x0000165f _main+115
bash-2.03$ symify a.exe
bash-2.03$ _
>Perhaps you were thinking about `gets' (as opposed to `fgets')?
*scanf() (except sscanf()) have the same problem as gets(): The
program does not know how long an incoming string is. (sscanf() knows
that no incoming string will be longer than the input string.) Adding
a "width" in the format specifier might fix this problem.
--
Damian Yerrick
"I refuse to listen to those who refuse to listen to reason."
See the whole sig: http://www.rose-hulman.edu/~yerricde/sig.html
This is McAfee VirusScan. Add these two lines to your signature to
prevent the spread of signature viruses. http://www.mcafee.com/
- Raw text -