[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer overflow in documentation

From: Bruno Haible
Subject: Re: Buffer overflow in documentation
Date: Sat, 11 Apr 2020 23:42:27 +0200
User-agent: KMail/5.1.3 (Linux/4.4.0-174-generic; KDE/5.18.0; x86_64; ; )

Hi Roland,

> https://www.gnu.org/software/gettext/manual/html_node/Preparing-Strings.html
> The above documentation mentions the sprintf function. It should rather
> mention snprintf instead, to protect against buffer overflows.

These two code snippets

  strcpy (s, "Replace ");
  strcat (s, object1);
  strcat (s, " with ");
  strcat (s, object2);
  strcat (s, "?");


  sprintf (s, "Replace %s with %s?", object1, object2);

are meant to highlight the difference between pieces of strings and a format

In both snippets, enough memory must be present at 's'.

If the doc were to use safer string primitives, like snprintf, it would only
distract from what the example is meant to focus on.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]