Home/ Questions/Q 1042959
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T15:35:25+00:00

OWASP says: C library functions such as strcpy (), strcat (), sprintf () and

  • 0

OWASP says:

“C library functions such as strcpy
(), strcat (), sprintf () and vsprintf
() operate on null terminated strings
and perform no bounds checking.”

sprintf writes formatted data to string
int sprintf ( char * str, const char * format, … );

Example:

sprintf(str, "%s", message); // assume declaration and 
                             // initialization of variables

If I understand OWASP’s comment, then the dangers of using sprintf are that

1) if message‘s length > str‘s length, there’s a buffer overflow

and

2) if message does not null-terminate with \0, then message could get copied into str beyond the memory address of message, causing a buffer overflow

Please confirm/deny. Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’re correct on both problems, though they’re really both the same problem (which is accessing data beyond the boundaries of an array).

    A solution to your first problem is to instead use std::snprintf, which accepts a buffer size as an argument.

    A solution to your second problem is to give a maximum length argument to snprintf. For example:

    char buffer[128];

std::snprintf(buffer, sizeof(buffer), "This is a %.4s\n", "testGARBAGE DATA");

// std::strcmp(buffer, "This is a test\n") == 0

    If you want to store the entire string (e.g. in the case sizeof(buffer) is too small), run snprintf twice:

    int length = std::snprintf(nullptr, 0, "This is a %.4s\n", "testGARBAGE DATA");

++length;           // +1 for null terminator
char *buffer = new char[length];

std::snprintf(buffer, length, "This is a %.4s\n", "testGARBAGE DATA");

    (You can probably fit this into a function using va or variadic templates.)

    • 0