[Info-vax] Whither VMS?
Bob Eager
rde42 at spamcop.net
Mon Oct 5 12:17:06 EDT 2009
On Mon, 05 Oct 2009 08:37:14 +0200, Michael Kraemer wrote:
> glen herrmannsfeldt schrieb:
>
>
>> Much easier (and faster) to keep track of the string lengths while they
>> are being created.
>
> I'm not advocating null termination to be the method of choice for
> length measurement, just that it is not the real culprit for buffer
> overflows.
>
>> < It's not so easy with fgets() because one can't guess < what's coming
>> down the line.
>>
>> fgets() is the one with a length argument, its gets() that doesn't have
>> one.
>
> OK, it's getting late ...
>
>> < Likewise with sprintf(), one doesn't know how much space < the
>> formatted stuff would need.
>>
>> I have wondered about using %f on machines with large exponents like
>> some Cray machines. %f expands the field to the number of digits
>> needed, which could be thousands on some machines.
>
> For this (and similar) reasons sprintf() is the real danger out there
> because it can't be easily replaced (unlike gets() and strcat() and
> friends). I'm contemplating a 2-pass workaround writing to /dev/null
> first, thereby counting the number of bytes needed, then calloc'ing the
> output buffer with the appropriate length, so sprintf() would be safe.
> Works on Unix, but would require sort of a null device support in the
> other OSs out there.
But easy on VMS, of course! Sounds a good idea...
--
Use the BIG mirror service in the UK:
http://www.mirrorservice.org
More information about the Info-vax
mailing list