缓冲溢出代码缝分析!!
#include
#include
#include
#include
const char card[] = "IDB_CARD_";
const char *card_4[] = { "SWORD_", "WAND_", "PENT_", "CUP_" };
const char *card_royal[] = { "KING", "KNAVE", "QUEEN", "KNIGHT" };
char *point_to_card[78] = { NULL };
int sort[78] = { 0 };//the card's sorting
int main()//this is a model to get name in dll ,it's ok
{
char current_name[20] = "0", num[2] = "0";
int count = 0, big_count = 0, card_count = 0;
int i;
strcpy(current_name, card);
for (big_count = 1; big_count <= 5; big_count++)
{
if (big_count == 1)
{
for (count = 0; count <= 21; count++)
{
itoa(count, num, 10);
strcat(current_name, num);
point_to_card[card_count] = (char*)malloc(sizeof(char)*strlen(current_name));
strcpy(point_to_card[card_count], current_name);
strcpy(current_name, card);
card_count++;
}
}
else{
for (count = 1; count <= 14; count++)
{
if (count <= 10)
{
strcat(current_name, card_4[big_count - 2]);
itoa(count, num, 10);
strcat(current_name, num);
point_to_card[card_count] = (char*)malloc(sizeof(char)*strlen(current_name));
strcpy(point_to_card[card_count], current_name);
strcpy(current_name, card);
card_count++;
}
else
{
strcat(current_name, card_4[big_count - 2]);
strcat(current_name, card_royal[count - 11]);
point_to_card[card_count] = (char*)malloc(sizeof(char)*strlen(current_name));
strcpy(point_to_card[card_count], current_name);
strcpy(current_name, card);
card_count++;
}
}
}
}
}
调试时会出现
num[2] 大小不够。
内容("0"~"21")最多2个字符,字符串结束符 \0 在哪里?
不就溢出了!
现代C++编译器和RT都会有缓冲区溢出防范机制的。除非你在编译的时候把这些安全选项都关闭。具体看下手册。