Overflow over scanf(“%8s”, string)?

Question

I know it\'s possible to overflow ordinary code:

char string[9];

scanf(\"%s\", string).

But is it possible to overflow scanf(\"%8s\

Answer 1

As ysth pointed out, the array should be able to contain the string and the terminating null-character, so using an 8-byte array (especially if it's allocated on the stack, as it is in your code) is very likely to mess it up.

Answer 2

Don't ever use scanf (or fscanf for that matter) if you want your input to be robust.

You should be using fgets (or a similarly "protected from buffer overflow" variant) then use sscanf on that.

The main problem with scanf and fscanf is that your file pointer can end up in an indeterminate position if the line is not of the expected format (i.e., if the scanf fails). With the fgets/sscanf method, it's a lot easier to guarantee that you're on a line boundary, without having to use ftell and fseek to move around the file.

Regarding your specific query about whether the buffer will overflow, the C standard has this to say:

... the corresponding argument shall be a pointer to the initial element of a character array large enough to accept the sequence and a terminating null character, which will be added automatically.

So, for a "%8s" format, you need a 9-character array.

I suspect you have some other problem in your code. With a test program:

#include <stdio.h>
int main(int argc, char* argv[]) {
    char x1;
    char a[9];
    char x2;
    x1 = x2 = ' ';
    scanf ("%s",a);
    printf ("[%c] [%s] [%c]\n",x1,a,x2);
    return 0;
}

I get:

pax> ./qq.exe
dfjdhadgha...lghjdfgjhd
[s] [dfjdhadgha...lghjdfgjhd] [ ]
  6 [main] qq 4744 _cygtls::handle_exceptions: Error while dumping state
  (probably corrupted stack)
  Segmentation fault (core dumped)

When I change that same program to use "%8s", I get (for exactly the same input):

pax> ./qq.exe
dfjdhadgha...lghjdfgjhd
[ ] [dfjdhadg] [ ]

Answer 3

See http://www.opengroup.org/onlinepubs/009695399/functions/scanf.html:

Each directive is composed of one of the following...An optional non-zero decimal integer that specifies the maximum field width.

s
Matches a sequence of bytes that are not white-space characters. The application shall ensure that the corresponding argument is a pointer to the initial byte of an array of char, signed char, or unsigned char large enough to accept the sequence and a terminating null character code, which shall be added automatically.

So it won't overflow a 9-byte string buffer.

Answer 4

if string is allocated for less then 8 charters it will certainly overwrite the buffer also scanf will not append a null terminator. But as long as you have enough space in string for your value you should not get an overwright.