Overwrite SRET by overflow

[bitsPlease]

Hi.

I am trying to overflow an unsigned short variable in order to overwrite a save return address and point it to an address of my preference. Let's assume the address I want to point it to is 0xbfffffff (assume it exists and is a valid accessible address).

Code:

​int main(int argc, char** argv) {

    char *buff;
    unsigned short size, i, argumentNum, randomUnusedVar;

    size = 65535;

    // trying to overflow
    buff = alloca(size + 1);
    memset(buff, '-', size+1);
    
    // read for arguments
    for (i = 1; i < argc; i++) {
        // assume input can only be %c%d i.e. a0 c10 b4  
        argumentNum = atoi(argv[i] + 1);

        // assume there is some sort of protection against out of bounds access unless overflow
        if (argumentNum >= size) {
           return 1;
        }

        // assume there is protection against writing any string
        // only single characters may be written
        buff[argumentNum] = argv[i][0];
    }
    
    return 0;

}

Executing the code above with arguments like a0 q10 z513 will result in characters a,q,z being written somewhere on the stack(whatever alloca() pointed buff to).

I was wondering if there is that "single character write-only protection" against writing strings, executing the program with input like buff[66357] = "0xbfffffff"; would be prevented.

However, I am unsure whether it is still impossible to overwrite the save return address in some way even if our made-up program has this protection.

P.S. I am doing this for education purposes in a local environment with disabled stack protection in the gcc compiler.

[john.c]

Code:

#include <stdio.h>
 
int main() {
    unsigned short size = 12345;
    char buff[10];
 
    printf("%d\n", size); // 12345
    buff[-1] = 0xff;
    printf("%d\n", size); // 65337 (for me, at least)
 
    return 0;
}