Fooling C program by entering pointer address

Question

This is only for academic use. Software security course. The teacher wants me to fool the program by enter something, a ponter address I guess,to run a different function than f2 or f3. I can see all memory addresses using GDB. What should I enter to run f1?

Thanks for helping.

void f1 (void) {...} // f1 address 0x8048559
void f2 (void) {...} // f2 address 0x804857e
void f3 (void) {...} // f3 adrress 0x8048627

fptr ptrs[2] = {NULL, f2, f3}; // ptrs adress 0x804a0d4

int main(int argc, char *argv[]) {
    char  buf[1024] = {0}; // buf address 0xbffff130
    int r; // r address 0xbffff530
    fptr p1 = f1; // p1 address 0xbffff534

    r = read(0, buf, sizeof(buf)-sizeof(char));

    if(r > 0) {
        buf[r] = '\0';
        int s = atoi(buf);
        fptr tmp = ptrs[s];
        tmp();
    } else {
        break;
    }
}

Answer 1

Array subscript operator a[b] is equivalent of *((a)+(b)).

Addition between pointer and integer will first multiply the integer by the size of type at which the pointer points, then the multiplyed value and the poiner is added.

For that reason, decimal value of (0xbffff534 - 0x804a0d4) / sizeof(fptr) (771675416 if sizeof(fptr) is 4) should work.

If I am right, using that value, the address of ptrs[s] should be the address of p1 and using tmp() the function f1 will be called.