Hello, > Julien, you have to answer Matt Zimmerman's question: > > gets() is _inherently_ insecure (there is no way to prevent it from > > writing beyond the end of the buffer), and so it should never be used. > > It is perfectly possible, however, to use sprintf and vsprintf securely, > > and sometimes good (portability) reasons to do so. > > > > So this kind of warning is not appropriate for sprintf nor vsprintf.
It is true than snprintf and vsnprintf functions are not portable with some C libraries (Digital OSF1 for example). But I also saw a lot of buffer overflow with sprintf (in nparted for example). Probably a warning less violent like : "Warning: the 'sprintf' is quite dangerous, 'snprintf' is preferable, see documentation in ... for details" will be better, with a text file explaining all details. > I agree his opinion. Please tell me the reason. > If you don't have any strong reasons, then only I close it. > > Moreover, how many programs are this warning affected? Probably a lot. Best Regards. -- Julien LEMOINE / SpeedBlue
