C-language printf () function to understand and security risks

First, the problem description

Ii. further clarification

Please watch carefully, there are strange phenomena

   int a=5;        Floatx=a;     Here the conversion is no problem,%f print x is 5.000000               printf ("%d\n", a);          printf ("%f\n", a);  Why is the output 0.000000? -----Question 1        printf ("%f\n", x);        printf ("%d\n", x);  Why is the output 0?        -----Question 2        printf ("%f,%f\n", a,x);  The output is 0.000000  why?            ----Question 3        printf ("%f,%f\n", x,a);  Change the order of a,x, Normal, why?  ----Question 4        printf ("%d,%f\n", a,x);         GetChar ();        Return0;

Three, the principle explanation of printf () function

Understanding these issues first requires understanding how the printf () function works.

printf () maintains a stack of variables that need to be printed, and by default, the order of the arguments into the stack is right-to-left, so that the parameters go into the stack after the memory model as shown:

When printing, printf extracts the data from the low address in the format specified by the character conversion specifier until the parameter is printed out.

For example, the%f specifier extracts 8 bytes of data, and when%d is encountered, it extracts 4 bytes. See here, you might ask a question, what if the number of bytes in the back is not enough?

Congratulations, you've discovered the security implications of printf (), yes, it will forcibly read data from adjacent memory as normal data output ———— is likely to generate heap overflow!

For example, this code:

    Char string[]= "Hello world!";    printf ("String:%s  , forcibly read again:% #p, read again:% #p \ n", String);

The output is as follows:

    String:hello world!  , forcibly read again: 0x001c1073, read again: 0x001c1073

Iii. explanation of the problem

(1) question 1: printf ("%f\n", a) Why is the output 0.000000?

A:%f extract 8 bytes, a only 4 bytes, the extracted number accounted for the exponential portion of the float notation, the tail part is divided into 0, so the end is 0

(2) Question 2: Why is printf ("%d\n", x) output 0?

A:%d fetches 4 bytes, X has 8 bytes, the extracted number is actually the exponential portion of the float notation (exactly 0), so the end is 0

(3) Question 3: printf ("%f,%f\n", a,x); The output is all 0.000000 why?

Answer: Referring to the explanation of question 1, after extracting eight bytes, the back is already disorderly

(4) Question 4: printf ("%f,%f\n", x,a); Change the order of a,x, Normal, why?

A: This is the normal situation.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

C-language printf () function to understand and security risks