I thought I knew printf format strings, but I suppose not because I have no idea what %1$.*1$d %2$hn does. Can anyone explain why that increments the value behind a pointer?
For reference, this was has been presented by Mathias Payer at 32c3.<p><a href="https://youtu.be/n_tpc7bvPXU?t=2643" rel="nofollow">https://youtu.be/n_tpc7bvPXU?t=2643</a>
<p><pre><code> [ == if (*dataptr == 0) goto ]
</code></pre>
Isn't this wrong? I mean, `[` starts a loop, it doesn't mean goto `]`. Unless I'm getting the semantics wrong, at least one iteration should execute, even if the current cell is set at zero.
It's unclear how much stack-smashing is involved here. The "Control Flow Bending" paper clearly requires overwriting pointers internal to printf.<p>Is this possible without invoking undefined behavior? FWIW the demos just crash with SIGILL on macOS.
No. There are a lot of lines of code that are not inside a single printf statement. This is nothing special, just an unreadable clutter of random code.