| /* Save a pointer to a string via sprintf() | |
| After the pointer is free'd restore it | |
| with sscanf() and use it. */ | |
| #include <stdlib.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| #define BUFSZ 1000 | |
| char buffer[BUFSZ]; | |
| void f(); | |
| void f() | |
| { | |
| char *ptr; | |
| sscanf(buffer, "%p", &ptr); | |
| strcpy(ptr, "Use after free"); | |
| } | |
| int main() | |
| { | |
| char *m; | |
| m = malloc(100); | |
| snprintf(buffer, BUFSZ, "%p", m); | |
| free(m); | |
| f(); | |
| return 0; | |
| } |