[Info-vax] Whither VMS?
Michael Kraemer
M.Kraemer at gsi.de
Mon Oct 5 02:37:14 EDT 2009
glen herrmannsfeldt schrieb:
>
> Much easier (and faster) to keep track of the string lengths
> while they are being created.
I'm not advocating null termination to be the method
of choice for length measurement, just that
it is not the real culprit for buffer overflows.
> < It's not so easy with fgets() because one can't guess
> < what's coming down the line.
>
> fgets() is the one with a length argument, its gets() that
> doesn't have one.
OK, it's getting late ...
> < Likewise with sprintf(), one doesn't know how much space
> < the formatted stuff would need.
>
> I have wondered about using %f on machines with large exponents
> like some Cray machines. %f expands the field to the number of
> digits needed, which could be thousands on some machines.
For this (and similar) reasons sprintf()
is the real danger out there because it can't be easily
replaced (unlike gets() and strcat() and friends).
I'm contemplating a 2-pass workaround writing to /dev/null first,
thereby counting the number of bytes needed, then calloc'ing
the output buffer with the appropriate length, so sprintf()
would be safe. Works on Unix, but would require sort of a
null device support in the other OSs out there.
More information about the Info-vax
mailing list