(svn r14540) -Codechange: introduce [v]seprintf which are like [v]snprintf but do return the number of characters written instead of the number of characters that would be written; as size_t is unsigned substraction can cause integer underflows quite quickly.

1 files changed, 17 insertions, 1 deletions

diff --git a/src/string_func.h b/src/string_func.h
index 1453170ad..c6d71b56d 100644
--- a/src/string_func.h
+++ b/src/string_func.h
@@ -1,6 +1,19 @@
 /* $Id$ */
 
-/** @file string_func.h Functions related to low-level strings. */
+/** @file string_func.h Functions related to low-level strings.
+ *
+ * @note Be aware of "dangerous" string functions; string functions that
+ * have behaviour that could easily cause buffer overruns and such:
+ * - strncpy: does not '\0' terminate when input string is longer than
+ *   the size of the output string. Use strecpy instead.
+ * - [v]snprintf: returns the length of the string as it would be written
+ *   when the output is large enough, so it can be more than the size of
+ *   the buffer and than can underflow size_t (uint-ish) which makes all
+ *   subsequent snprintf alikes write outside of the buffer. Use
+ *   [v]seprintf instead; it will return the number of bytes actually
+ *   added so no [v]seprintf will cause outside of bounds writes.
+ * - [v]sprintf: does not bounds checking: use [v]seprintf instead.
+ */
 
 #ifndef STRING_FUNC_H
 #define STRING_FUNC_H
@@ -28,6 +41,9 @@ void ttd_strlcpy(char *dst, const char *src, size_t size);
 char *strecat(char *dst, const char *src, const char *last);
 char *strecpy(char *dst, const char *src, const char *last);
 
+int CDECL seprintf(char *str, const char *last, const char *format, ...);
+int CDECL vseprintf(char *str, const char *last, const char *format, va_list ap);
+
 char *CDECL str_fmt(const char *str, ...);
 
 /** Scans the string for valid characters and if it finds invalid ones,