On Sat, 11 Jan 2003, Thomas Arp wrote: > Actually the snprintf statement itself will never overflow, period. Sure it will. If the data to be written to the buffer is greater than the size specified, snprintf() returns the number of characters that would have been written to the buffer had there been space. Thus, len can become greater than sizeof(buf), meaning that sizeof(buf) - len can become negative. Since the size parameter is size_t, which is unsigned, that negative value will become a large positive and snprintf() will happily overflow your buffer. Consequently, this use of snprintf() has very limited gains in safety over sprintf(): it's only guaranteed to protect against the first overflow. Subsequent calls to snprintf() will be able to overflow. All this emphasizes is that snprintf() is not magic. You still have to give it good information for it to do its job. In this case, you're not giving it good information and so there's nothing preventing snprintf() from overflowing your buffer. -dak -- +---------------------------------------------------------------+ | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html | | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html | | Newbie List: http://groups.yahoo.com/group/circle-newbies/ | +---------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 06/26/03 PDT