缓冲区溢出:
1 Example1.1: 2 ... 3 char buf[BUFSIZE]; 4 gets(buf);//user control 5 ... 6 7 Example1.2(c++): 8 ... 9 char buf[BUFSIZE]; 10 cin >> (buf);//user control 11 ... 12 13 Example2: 14 ... 15 char buf[64], in[MAX_SIZE]; 16 printf("Enter buffer contents: "); 17 read(0, in, MAX_SIZE-1); 18 printf("Bytes to copy: "); 19 scanf("%d", &bytes);//user control 20 memcpy(buf, in, bytes); 21 ... 22 char *lccopy(const char *str) { 23 char buf[BUFSIZE]; 24 char *p; 25 26 strcpy(buf, str); 27 for (p = buf; *p; p++) { 28 if (isupper(*p)) { 29 *p = tolower(*p); 30 } 31 } 32 return strdup(buf); 33 } 34 35 Example4: 36 if (!(png_ptr->mode & PNG_HAVE_PLTE)) { 37 /* Should be an error, but we can cope with it */ 38 png_warning(png_ptr, "Missing PLTE before tRNS"); 39 } 40 else if (length > (png_uint_32)png_ptr->num_palette) { 41 png_warning(png_ptr, "Incorrect tRNS chunk length"); 42 png_crc_finish(png_ptr, length); 43 return; 44 } 45 ... 46 png_crc_read(png_ptr, readbuf, (png_size_t)length); 47 48 Example5: 49 void getUserInfo(char *username, struct _USER_INFO_2 info){ 50 WCHAR unicodeUser[UNLEN+1]; 51 MultiByteToWideChar(CP_ACP, 0, username, -1, 52 unicodeUser, sizeof(unicodeUser)); 53 NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info); 54 }
格式化字符串:
1 Example1: 2 int main(int argc, char **argv){ 3 char buf[128]; 4 ... 5 snprintf(buf,128,argv[1]); 6 } 7 8 Example2: 9 printf("%d %d %1$d %1$d ", 5, 9); 10 11 Example3: 12 ... 13 syslog(LOG_ERR, cmdBuf); 14 ... 15 16 Example4: 17 #include <stdio.h> 18 19 void printWrapper(char *string) { 20 printf(string); 21 } 22 23 int main(int argc, char **argv) { 24 char buf[5012]; 25 memcpy(buf, argv[1], 5012); 26 printWrapper(argv[1]); 27 return (0); 28 }
整数溢出:
Example1: short int bytesRec = 0; char buf[SOMEBIGNUM]; while(bytesRec < MAXGET) { bytesRec += getFromInput(buf+bytesRec); } Example2: nresp = packet_get_int(); if (nresp > 0) { response = xmalloc(nresp*sizeof(char*)); for (i = 0; i < nresp; i++) response[i] = packet_get_string(NULL); } Example3: char* processNext(char* strm) { char buf[512]; short len = *(short*) strm; strm += sizeof(len); if (len <= 512) { memcpy(buf, strm, len); process(buf); return strm + len; } else { return -1; } } Example4: rezos@bezel ~/labs/integer $ cat add.c #include <stdio.h> #include <limits.h> int main(void) { int a; // a=2147483647; a=INT_MAX; printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x) ", a,a,a+1,a+1); return 0; } rezos@bezel ~/labs/integer $ ./add int a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000) Example5: rezos@bezel ~/labs/integer $ cat multiplication.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> int main(int argc, char **argv) { int i, j, z=0x00000001; char *tab; if(argc<2) _exit(1); i=atoi(argv[1]); if(i>0) { tab = malloc(i * sizeof(char *)); if(tab == NULL) _exit(2); } for(j=0; j<i; j++) tab[j]=z++; for(j=0; j<i; j++) printf("tab[j]=0x%x ", tab[j]); return 0; } rezos@bezel ~/labs/integer $ ./multiplication 1073741824 Segmentation fault