[SDL] Re: How do I get SDL_TTF to print out numbers?

Wes Wannemacher techgeek at gmail.com
Mon Mar 28 08:08:15 PST 2005


On Mon, 28 Mar 2005 08:02:58 -0600, David Olsen <jolynsbass at hotmail.com> wrote:
> 
> 
> > i know alot of people are gonna say "ewww". call me old school but...
> >
> > #include <stdio.h>
> > char Buffer[256];
> > int Number;
> >
> > Number=45;
> >
> > sprintf(Buffer,"%i",Number);
> >
> > Buffer then contains "45" as a string.
> >
> > nice and easy, gotta love sprintf (unless your worried about security
> hehe)
> 
> This is exactly how I do it! It's so easy, and quick... But please tell me
> about the security issue? I am not terribly experienced with security
> issues. I figured quick and easy = good. But maybe it doesn't in this case?
> -Dave
> 

The vulnerability really comes from a lack of bound checking in the
sprintf (and all printf family of functions). There is also 'format
string' vulnerabilities, especially when it is possible that a string
is being passed to the format string such as:

#include <stdio.h>

int
main(int argc, char ** argv)
{
    char name[40];
    printf("enter your name: ");
    scanf("%s", &name);
    printf("your name is: %s\n", name);
    return 0;
}

I've heard that if you pass format characters through the prompt you
can potentially gain access to other information in the stack.

Given the information above, most people have generally considered all
of the printf family to be unsafe. However, I would not be too worried
about exploits, etc. in a game. If you were working on postfix,
sendmail, or Apache then this is a lot more dangerous because these
overflows could lead to sensitive information being accessed or even
root access.

Despite what I said about this just being a game, keep in mind that
bad habits are hard to break and you may not always be able to
guarantee what type of projects you will work on in the future. So, if
you are just trying to learn some stuff, see if you can find creative
alternatives to *printf*, if you are working on commercial-quality
software, find an alternative.  If you are just doing proof of concept
work, don't worry about it then.

Just my IMHO :-)

-Wes




More information about the SDL mailing list