io_file的结构
truct_IO_FILE5.{6.int_flags;/*High-orderwordis_IO_MAGIC;restisflags.*/7.8./*ThefollowingpointerscorrespondtotheC++streambufprotocol.*/9.char*_IO_read_ptr;/*Currentreadpointer*/10.char*_IO_read_end;/*Endofgetarea.*/11.char*_IO_read_base;/*Startofputback+getarea.*/12.char*_IO_write_base;/*Startofputarea.*/13.char*_IO_write_ptr;/*Currentputpointer.*/14.char*_IO_write_end;/*Endofputarea.*/
15.char*_IO_buf_base;/*Startofreservearea.*/16.char*_IO_buf_end;/*Endofreservearea.*/17.18./*Thefollowingfieldsareusedtosupportbackingupandundo.*/19.char*_IO_save_base;/*Pointertostartofnon-currentgetarea.*/20.char*_IO_backup_base;/*Pointertofirstvalidcharacterofbackuparea*/21.char*_IO_save_end;/*Pointertoendofnon-currentgetarea.*/22.23.struct_IO_marker*_markers;24.25.struct_IO_FILE*_chain;26.27.int_fileno;28.int_flags2;29.__off_t_old_offset;/*Thisusedtobe_offsetbutit'stoosmall.*/30.31./*1+columnnumberofpbase();0isunknown.*/32.unsignedshort_cur_column;33.signedchar_vtable_offset;34.char_shortbuf[1];35.36._IO_lock_t*_lock;37.#ifdef_IO_USE_OLD_IO_FILE38.};
改变io_buf_base 的值,从而覆盖io_file的结构,从而在覆盖的io_buf_base的值处写数据
要绕过
io_read_ptr==io_read_end
getchar()可以使ptr+1
扫一扫
943
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
