C-language printf () function specific explanations and security implications

I. Descriptive narrative of the problem

Ii. further clarification

Please look carefully, there are strange phenomena such as the following

        int a=5;        Floatx=a;     There is no problem in converting here. %f print x is 5.000000               printf ("%d\n", a);          printf ("%f\n", a);  Why is the output 0.000000? -----Question 1        printf ("%f\n", x);        printf ("%d\n", x);  Why is the output 0?        -----Question 2        printf ("%f,%f\n", a,x);  The output is 0.000000  why?            ----Question 3        printf ("%f,%f\n", x,a);  Change the order of a,x, Normal, why?  ----Question 4        printf ("%d,%f\n", a,x);         GetChar ();        Return0;

Three, the principle explanation of printf () function

Identifying these issues first requires a clear idea of how the printf () function works.

printf () maintains a stack of variables that need to be printed. By default, the order of the input stacks is by right-to-left, so that the memory models that are counted into the stack later are as seen:

When printing, printf extracts data from the low address in the format specified by the character conversion specifier. Until the parameters have been printed out.

For example, encountering the%f specifier extracts 8 bytes of data, and when%d is encountered, it extracts 4 bytes. printf () does not actually know the number of arguments, it simply prints the contents of the following address in the stack, sequentially, according to the number of print formats in format.

In this way, printf () is actually a security risk--yes, it will force read memory data as normal data output, no boundary detection ———— is very likely to generate heap overflow!

For example, this code:

    Char string[]= "Hello world!";    printf ("String:%s  , forcibly read again:% #p \ n", String);

    printf ("String:%s, forcibly read again:% #s \ n", String);

The output is as follows:

    String:hello world!  

    String:hello world! , forcibly read again: 閮

Iii. explanation of the problem

(1) question 1: printf ("%f\n", a) Why is the output 0.000000?

Answer:%f extract 8 bytes. A has only 4 bytes, and the extracted numbers account for the exponential portion of the float notation. The number of tails is divided into 0. So it's finally 0.

(2) Question 2: Why is printf ("%d\n", x) output 0?

A:%d extracts 4 bytes, X has 8 bytes. The extracted number is actually the exponential portion of the float notation (exactly 0), so it's finally 0.

(3) Question 3: printf ("%f,%f\n", a,x); The output is all 0.000000 why?

Answer: Take the explanation of question 1. After extracting eight bytes, the back is already messed up.

(4) Question 4: printf ("%f,%f\n", x,a); Change the order of a,x, Normal, why?

A: This is the normal situation.

C-language printf () function specific explanations and security implications