-1 
char buffer[100]; char buffer_size[40]; int i; fgets(buffer_size,32,stdin); i = atoi(buffer_size); if(i+1 < 100) if(i>=0) fgets(buffer,i,stdin);
Improve this question
2
  • OP, why would you delete your questions content? This might - by chance - be useful for others. And why are you sorry for asking? There is however a „thank you“ button for the person to answer your question best: it’s called „accept“ and is a green check mark.
    – Tobi Nary
    CommentedNov 18, 2017 at 14:40
  • Downvoted: please provide at least some form of context. Also this seems a lot like homework.
    – Tom K.
    CommentedJan 3, 2018 at 12:25

1 Answer 1

Reset to default
1

Well, since i could be INT_MAX (0x7FFFFFFF), which is just over 2 billion, but if you add 1 to it you get 0x80000000 (just below negative two billion, for signed ints)... that passes the test and you end up trying to fill a 100 byte buffer with up to 2 gigs of data. That's bad (and exploitable), yes.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.