实际上，漏洞在于你可以将字符存储在使用 alloca 分配的缓冲区中的任意偏移量，但是测试是在 length 而不是 size 上完成的.传递 65535 和 a1 的参数会调用未定义的行为:size as value 0 因为算术环绕 if unsigned short 有 16 位.

Actually, the vulnerability lies in the fact that you can store a character at any offset in the buffer allocated with alloca, but the test is done on length rather than size. passing arguments of 65535 and a1 invokes undefined behavior: size as value 0 because of arithmetic wraparound if unsigned short has 16 bits.

您可以尝试传递 65535 的第一个参数和具有增加偏移量的后续参数，这将戳出 buffer 末尾的值，可能会覆盖 main 的返回地址并导致崩溃:

You can try passing a first argument of 65535 and subsequent arguments with increasing offsets, that will poke values beyond the end of buffer, possibly overwriting the return address of main and causing a crash:

myprog 65535 a3 a7 a15 a19 a23 a27 a31 a35 a39 a43 a47 a51 a55 a59 a63 ...

根据实际的局部变量布局，需要的偏移量可能大于17，但应小于80.

Depending on the actual local variable layout, the required offset may be larger than 17, but should be smaller than 80.