Suppose you have the following declaration:
// looks pretty secure at a glanceclass Safe{public: void Store(int amount) { this->money += amount; }private: int money;};
Now, Safe doesn''t provide a way to take money out of the Safe, or so you think. Whats important here is that DecoySafe has the exact same layout in memory that Safe does, just with the restrictions relaxed.
class DecoySafe{public: void Store(int amount);public: //note public int money;};
Now we''re just a pointer conversion away from getting into anyone''s safe:
Safe* lockbox = new Safe;lockbox->Store(500);DecoySafe* decoy = reinterpret_cast<DecoySafe*>(lockbox);int ransom = decoy->money;decoy->money -= ransom;
Undoubtably this falls into the realm of undefined behavior (reinterpret_cast being your first clue), however I''ve heard its been used when needing to extend 3rd party source only libraries.