29 Jul, 2015, alteraeon wrote in the 21st comment:
AA almost exclusively uses sprintf, and all but a few of the uses are safe, with sanity checks that would tell us if there was an overflow that didn't crash the system. It's pretty easy:
- we use global static print buffers and guard space in such a way as to give a safe overflow area and detection logic
- the maximum size of user entered data is known and small
- the maximum size of user data after expansions, aliases, and variable replacement is known and small
- the maximum size of descriptions is known and less than the print buffers
Taken together? The last time we had a sprintf overflow was on the order of 2005. I think. I honestly cant even remember one that didn't involve violating the sprintf constraints by printing a string on top of itself, back when I was more of a noob than now.
I'd be the last one to say that our setup is perfect. Strictly using snprintf would certainly add another layer of protection. I even considered using it back in the olden days, but decided against it because it didn't exist in most c libraries at the time. What I will say is that if you regularly see sprintf overflow issues, it's because you're doing it wrong, not because sprintf is naturally unsafe.
>it's because you're doing it wrong, not because sprintf is naturally unsafe.
Or because a program evolves and now takes user input when it only used a sanitized database before. It IS naturally unsafe. Just like a landmine is. One day you get drunk and forget one step and you are dead.