← Back to Users
gurbe's activity in the archive.
1) STACK grows down : y [RET] ; 32 bit return address pushed on call to functiony-4 [...] ; misc stack contentsy-n [var] ; ASCII overflowable local variable 2) Overflow grows up : overflow ascii string = len(var) + len(...) + "\1\0\0\0" y ["\0"]y-1 ["\0"]y-2 ["\0"]y-3 ["\1"]y-4 [len(...)]y-n [len(var)] 3) Contents of bytes [y-3, y] form in little endian : 0x01000000 4) 0x01000000 equals 16M, this is the lowest address ascii overflow can reach
Slashdot Mirror
1) STACK grows down
y [RET] ; 32 bit return address pushed on call to function
y-4 [...] ; misc stack contents
y-n [var] ; ASCII overflowable local variable
2) Overflow grows up
overflow ascii string = len(var) + len(...) + "\1\0\0\0"
y ["\0"]
y-1 ["\0"]
y-2 ["\0"]
y-3 ["\1"]
y-4 [len(...)]
y-n [len(var)]
3) Contents of bytes [y-3, y] form in little endian : 0x01000000
4) 0x01000000 equals 16M, this is the lowest address ascii overflow can reach