When getc will make _IO_buf_base empty, go to _IO_doallocbuf when it is empty
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
scanf: if (fp->_IO_buf_base == NULL) { /* Maybe we already have a push back pointer. */ if (fp->_IO_save_base != NULL) { free (fp->_IO_save_base); fp->_flags &= ~_IO_IN_BACKUP; } _IO_doallocbuf (fp); } _IO_doallocbuf: void_IO_doallocbuf (_IO_FILE *fp){ if (fp->_IO_buf_base) # How to input buffer is not empty, return directly return; if (!(fp->_flags & _IO_UNBUFFERED) || fp->_mode > 0) #check flag if (_IO_DOALLOCATE (fp) != EOF) ## call vtable function return; _ IO_setb (fp, fp->_shortbuf, fp->_shortbuf+1, 0);} libc_hidden_def (_IO_doallocbuf)
_IO_doallocbuf:
Then trigger vtable to complete any hijacking, this question has a backdoor