Re: strncpy negative value
On 9/18/07 7:29 AM, in article
1190099751.037075.213620@w3g2000hsg.googlegroups.com, "Daniel Kr?gler"
<daniel.kruegler@googlemail.com> wrote:
Yes, I know, that you can fool strlcpy in those cases, where
strlen(source) >= buffer capacity, but the point is which error
domains you want to prevent? Please note that even the so-called
"safer" *_s CRT extension of Microsoft would stumble across
the same issue, because they also use size_t max_size parameters.
No, strncpy_s() is a safer routine than strlcpy() precisely because
strncpy_s() is not tripped up in the case that strlen(source) equals or
exceeds the size of the destination buffer:
char * a = "c:test.xls";
char b[2];
int c = -2;
strncpy_s(b, sizeof(b), a, c); // no buffer overrun
In this example, the c parameter (when interpreted as an unsigned value) far
exceeds the value of the second parameter (the size of the destination
buffer); so strncpy_s() is able to avoid copying chars past the end of the b
array - whereas strncpy() or strlcpy() would overrun the buffer.
Note that ISO C Technical Report 2 makes strncpy_s() safer still, by
declaring a new typedef, rsize_t, to complement size_t. Even though rsize_t
has the same type as size_t, the range of acceptable values for an rsize_t
variable is more constrained. An rsize_t variable with a value greater than
RSIZE_MAX is automatically treated as a runtime constraint violation. And
since RSIZE_MAX will usually be defined as SIZE_MAX >> 1, an interface that
accepts rsize_t parameters (instead size_t parameters, where appropriate)
will be able to catch many of these kinds of accidental signed-to-unsigned
conversions which the current C library routines do not detect.
Greg
--
[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]