Why does this C program go pear-shaped? Have I broken my buffers?

Question

I've been experimenting with C a little bit. I usually use PHP and javascript.

I did "Hello World" and then I typed in this, which I copied from a website somewhere...

#include <stdio.h>
#include <stdlib.h>
#define MAX 20
int intcmp(const void*v1, const void *v2){
    return (*(int *)v1 - *(int *)v2);
}
main(){
    int arr[MAX], count, key , *ptr;
    printf("Enter %d integer values; press enter after each\n", MAX);
    for (count = 0; count < MAX; count++)
        scanf("%d", &arr[count]);
    puts("Press a key to sort the values");
    getc(stdin);

    qsort(arr, MAX, sizeof(arr[0]), intcmp);

    for(count=0; count < MAX; count++)
        printf("\narr[%d] = %d.", count, arr[count]);

    puts("\nPress a key to continue");
    getc(stdin);

    printf("Enter a val to search for");
    scanf("%d", &key);

    ptr = (int * )bsearch(&key, arr, MAX, sizeof(arr[0]), intcmp);

    if(ptr != NULL){
        int fred =  (ptr - arr);
        printf("%d found at arr[%d]", key ,fred);
    }else{
        printf("%d not found", key);
    }
}

So far so good. I'm trying to understand what all the stars do, but it's falling into place (ha ha - falling stars :)

However, if I type in a float e.g. 21.45 when it asks me for 20 integers, it rushes through to "Enter a val to search for" having filled the 20 array values with weird numbers.

Have I created some sort of buffer overflow? I realise that input should be checked - but I'm interested to know what I've done. Could I use my program to run arbitrary code? (Well, no, not with my knowledge... but could someone?)

Answer 1

However, if I type in a float e.g. 21.45 when it asks me for 20 integers, it rushes through to "Enter a val to search for" having filled the 20 array values with weird numbers

If you enter a value such as 21.45 the call to scanf("%d") will fail, as it is not an int, and will leave the .45 in stdin (the 21 will be extracted as a valid int) to be processed again. This causes the loop to re-read this value again and again (as it fails every time). The weird numbers are due to the elements of the array being uninitialised.

Check the return value of scanf() which returns the number of assignments made and if it fails skip whatever is in stdin:

int count = 0;
while (count < MAX)
{
    if (1 == scanf("%d", &arr[count]))
    {
        count++; /* OK, so get next. */
    }
    else
    {
        /* !OK, skip invalid input. */
        int c;
        while ((c = fgetc(stdin)) != EOF && c != '\n');
    }
}

Answer 2

If you want to get a float, then in the scanf you need to have:

scanf("%f", &arr[count]);

Additionally, you need to declare your array as float arr[MAX]

Answer 3

If you fill the standard input with something that's not in the right format (in this case a float), the extraction of the value will fail. However, the broken data won't get extracted from the input stream. This means that scanf will fail repeatedly. As such, your arr[0...MAX-1] is not filled at all by scanf.