2008/09/27

sprintf_s() is not snprintf()

You are compiling some legacy code with Microsoft Visual Studio. You get a warning telling you
warning C4996: 'sprintf': This function or variable may be unsafe. Consider using sprintf_s instead.
Of course! So you just change that dangerous sprintf() for a sprintf_s(). The IDE tells you about an additional buffer size parameter, so you may wrongly end up thinking that you are getting the equivalent to Unix's snprintf() or the old MSV _snprintf().

Nope. If you read the docs, you'll learn that sprintf_s() is not truncating the string, but instead invoking the run-time invalid parameter handler, and usually terminating the program. Far better than letting a buffer overflow happen, but maybe not what you were expecting.

No hay comentarios: