On 11/23/2016 03:29 PM, Denys Vlasenko wrote: > On Tue, Nov 22, 2016 at 5:07 PM, Rich Felker <[email protected]> wrote: >>> Different projects choose their paranoias differently. >>> >From its inception, bbox was paranoid about code size. >>> >>> If you see an actual bug where buffer can overflow, >>> I'm more than willing to fix it. >>> >>> But if there is no actual bug, and it's just a general concern >>> that "it looks unsafe", then code size trumps it. >> >> Have you stopped to consider the size from pulling in the deprecated >> sprintf function to begin with? If all references to it were removed, >> then static-linked busybox would only have snprintf, not sprintf. On >> musl/i386 this would only save about 50 bytes but it might save more >> on other archs or libcs. > > I found nearly 200 instances of sprintf() use in current bbox git. > I'm not embarking on a quest to replace all of them.
Why would sprintf() be deprecated? (Deprecated by who?) If you know what data you're printing into your string, you should be fine. If you don't know what data you're printing into it, randomly truncating your output is its own kind of bug. And requiring an extra argument every time just so you can randomly truncate your output seems kinda silly. Rob _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
