[SDL] Re: How do I get SDL_TTF to print out numbers?

Jeff j_post at pacbell.net
Mon Mar 28 08:38:43 PST 2005


On Monday 28 March 2005 06:02 am, David Olsen wrote:
> >
> > #include <stdio.h>
> > char Buffer[256];
> > int Number;
> >
> > Number=45;
> >
> > sprintf(Buffer,"%i",Number);
> >
> > Buffer then contains "45" as a string.
> >
> > nice and easy, gotta love sprintf (unless your worried about security
>
> This is exactly how I do it! It's so easy, and quick... But please tell me
> about the security issue? I am not terribly experienced with security
> issues. I figured quick and easy = good. But maybe it doesn't in this case?
> -Dave
>
Anytime you write to a memory buffer, there is the potential for a buffer 
overflow (unless the function doing the writing checks the buffer size, which 
sprintf doesn't). However, converting an integer or a double into ascii with 
sprintf and a buffer size of 256 is not going to overflow.

Overflowing a buffer will scribble data over memory other than the buffer. In 
this case it might be the stack, which could corrupt your return address and 
then execute random code when returning from the function. This is a popular 
exploit among crackers; more effective on Windows than other OSs (simply 
because Windows allows ordinary users priviledges that other OSs don't).

Jeff





More information about the SDL mailing list