search

angr / tracer

Utilities for generating dynamic traces
BSD 2-Clause "Simplified" License
88 stars 28 forks source link

Tracer adding zeros to scanf input #48

Closed mdehavensift closed 2 years ago

mdehavensift commented 6 years ago

If the number of digits is specified on a scanf, but the input has fewer digits, the input ends up being right-padded with zeros to reach the expected input length.

Here's an example:

adds_zeros.c

#include <stdio.h>

int main() {
  int value;
  scanf("%4d", &value);
  printf("%d\n", value);
  return 0;
}

Run this code

import tracer
t = tracer.Tracer("adds_zeros", "5")
result, _ = t.run()
print result.posix.dumps(1)

This shows that stdout prints a value of 5000 for the variable 'value' in the c code, but it should have a value of 5. Three zeros are being added to the input to reach the expected input length of 4.

It looks like the length of stdin is being set to the length of the given input on line 986 of tracer.py, but I'm not seeing the effect of that setting.

line 986 of tracer.py

# fix stdin to the size of the input being traced
fs = {'/dev/stdin': angr.storage.file.SimFile(
        "/dev/stdin", "r",
        size=self.input_max_size)}
github-actions[bot] commented 2 years ago

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

github-actions[bot] commented 2 years ago

This issue has been closed due to inactivity.