I saw use of this pattern to concatenate onto a string in some code I was working on:
sprintf(buffer, "%s <input type='file' name='%s' />
", buffer, id);
sprintf(buffer, "%s</td>", buffer);
and I'm fairly certain it's not safe C. You'll notice that buffer
is both the output and the first input.
Apart from the obvious possibility of a buffer overflow, I believe there is no guarantee that buffer doesn't get changed between the start and the end of the function (i.e., there is no guarantee as to what the state of buffer will be during the execution of the function). The signature of sprintf additionally specifies that the target string is restrict
ed.
I also recall a report of a speculative writing in memcpy, and I see no reason why some C library might do the same thing in a sprintf. In this case, of course, it would be writing to its source. So is this behaviour safe?
FYI, I proposed:
char *bufEnd = buffer + strlen(buffer);
/* sprintf returns the number of f'd and print'd into the s */
bufEnd += sprintf(bufEnd, " <input type='file' name='%s' />
", id);
to replace this.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…