cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] banning "unsafe" functions

From: Oscar Koeroo <>
Date: Wed, 06 Mar 2013 18:51:55 +0100

On 06-03-13 13:34, Daniel Stenberg wrote:
> Hi,
> As a result of the last security vulnerability we had, I'm adding new
> code to checksrc that will alert us on uses of (v)sprintf, strcat and
> gets in the code base.
> This is meant to be an additional tool to help us detect unsafe code
> easier, since all those functions are too easily use without careful
> considerations of all possible side-effects.
> I also had to clean up some code so that this wouldn't immediately start
> complaining! =)
> Comments or improvements?

You've used aprintf(). I personally love aprintf(), but OSX 10.6 and a
lot of older systems are not equipped with such beautiful feature.
Probably not even POSIX.

To do the same I recommend

count = snprintf(NULL, 0, "myformat");
buf = malloc(count);
snprintf(buf, count, "myformat");

Or solve it with macro-foo to introduce the equivalence of aprintf()
into libcurl.


List admin:

Received on 2013-03-06