From: "Daniel A. Koepke" <dkoepke@CIRCLEMUD.ORG>
> On Sat, 11 Jan 2003, Thomas Arp wrote:
> > Actually the snprintf statement itself will never overflow, period.
>
> Sure it will. If the data to be written to the buffer is greater than the
> size specified, snprintf() returns the number of characters that would
> have been written to the buffer had there been space. Thus, len can
> become greater than sizeof(buf), meaning that sizeof(buf) - len can become
> negative. Since the size parameter is size_t, which is unsigned, that
> negative value will become a large positive and snprintf() will happily
> overflow your buffer.
Ack! Sorry everyone. Dak is right (again). After reading and re-reading the
C library documentation, I realized the error of my ways. I'll just go
and make myself a string type, as I outlined in my other mail, to prevent
strange happenings. This time I'll add some more checks! On the other hand,
I'm the only one tampering with the code atm... hmm..
Can't this be fixed by changing calls to snprintf to this?
len += snprintf(MIN(sizeof(buf), buf+len),
MIN(sizeof(buf), sizeof(buf)-len),
"text here");
It'd be slow like hell, but it wouldn't ever overflow..
Welcor
--
+---------------------------------------------------------------+
| FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
| Archives: http://post.queensu.ca/listserv/wwwarch/circle.html |
| Newbie List: http://groups.yahoo.com/group/circle-newbies/ |
+---------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 06/26/03 PDT