问题描述

缓冲溢出代码缝分析！！

#include
#include
#include
#include

const char card[] = "IDB_CARD_";

const char *card_4[] = { "SWORD_", "WAND_", "PENT_", "CUP_" };

const char *card_royal[] = { "KING", "KNAVE", "QUEEN", "KNIGHT" };

char *point_to_card[78] = { NULL };

int sort[78] = { 0 };//the card's sorting

int main()//this is a model to get name in dll ,it's ok
{
char current_name[20] = "0", num[2] = "0";
int count = 0, big_count = 0, card_count = 0;

int i;
strcpy(current_name, card);
for (big_count = 1; big_count <= 5; big_count++)
{
    if (big_count == 1)
    {
        for (count = 0; count <= 21; count++)
        {
            itoa(count, num, 10);
            strcat(current_name, num);
            point_to_card[card_count] = (char*)malloc(sizeof(char)*strlen(current_name));
            strcpy(point_to_card[card_count], current_name);
            strcpy(current_name, card);
            card_count++;
        }
    }
    else{
        for (count = 1; count <= 14; count++)
        {
            if (count <= 10)
            {
                strcat(current_name, card_4[big_count - 2]);
                itoa(count, num, 10);
                strcat(current_name, num);
                point_to_card[card_count] = (char*)malloc(sizeof(char)*strlen(current_name));
                strcpy(point_to_card[card_count], current_name);
                strcpy(current_name, card);
                card_count++;
            }

            else
            {
                strcat(current_name, card_4[big_count - 2]);
                strcat(current_name, card_royal[count - 11]);
                point_to_card[card_count] = (char*)malloc(sizeof(char)*strlen(current_name));
                strcpy(point_to_card[card_count], current_name);
                strcpy(current_name, card);
                card_count++;
            }
        }
    }
}

}
调试时会出现

解决方案

num[2] 大小不够。
内容（"0"~"21"）最多2个字符，字符串结束符 在哪里？
不就溢出了！

解决方案二：

现代C++编译器和RT都会有缓冲区溢出防范机制的。除非你在编译的时候把这些安全选项都关闭。具体看下手册。