arnuld said:
I searched the archives and really much confused. "Ben Pfaff" says:
The point is that strncpy() is as dangerous
as strcpy() if it isn't used with care.
This is true. In particular you can cause a buffer overrun just as
easily with strncpy as you can with strcpy.
In fact you cause a buffer overrun with just about every Standard C
function that takes a pointer to one. The only solution to this would
be either interpreting the code or adding runtime checks for all
pointer operations.
and regarding sprintf vs snprint I get this from "Aleksander Nabaglo"
1: Calculate needed buffer size,
2: Use assert: bug will not be hidden.
int nsp=0;
sprintf(buf, " ..... %n", /* args */ , &nsp);
if(buf_size <= nsp) { assert(0 & " buf[] too short ");
exit(SOME_ERROR_CODE);
is that okay ?
No, it won't compile. Besides a buffer overrun has already triggered
undefined behaviour by the time the if statement is executed, so we
cannot rely on it's behaviour either.
I also heard from someone that using assert() in code going to be
shipped is a bad idea. All assert statement, before the delivery, must
be removed.
It's poor programming to depend on assert for error checking. Assert is
therefore internal consistency verification during development. It's
always possible for a customer to compile your program with NDEBUG
defined, and if your program does error or validity checking with
assert, then it's rendered very fragile.
Do you have some code for safe sprintf() ?
Why? It's easy enough to write your own. Here is it's description from
the Standard:
7.19.6.6 The sprintf function
Synopsis
1 #include <stdio.h>
int sprintf(char * restrict s,
const char * restrict format, ...);
Description
2 The sprintf function is equivalent to fprintf, except that the output
is written into an array (specified by the argument s) rather than to
a stream. A null character is written at the end of the characters
written; it is not counted as part of the returned value. If copying
takes place between objects that overlap, the behavior is undefined.
Returns
3 The sprintf function returns the number of characters written in the
array, not counting the terminating null character, or a negative
value if an encoding error occurred.
I actually thought snprint() will save me from buffer problems and now
after a little search I can see that I was using it blindly.
As I said elsewhere, provided the second argument is indeed the size of
the first, then buffer overrun *will* be prevented, though data loss
will occur.
One solution is to use snprintf itself to determine the minimum size of
the buffer that will be required and use a sufficiently large one.
Anyway, I
still like the for( int i = 0;..) localization in C99. I don't like my
programs to be polluted by some index numbers when I know I am on
Linux for next decade, at least.
If your functions are relatively short then there won't be
much "pollution" as you call it. You could also introduce a block,
though that's a very ugly solution, IMO.
PS. "Knowing" things for as much as a decade in advance is very risky in
computing (not the theoretical side.) If I were you, I'd still try to
keep my routines as portable as possible if the costs are not too high.