On Sat, Apr 24, 2004 at 02:27:28PM +0200, Klaus Klein wrote:
   > snprintf() returns the amount of storage _required_ to format the
   > arguments given, which may be larger than the available storage size
   > passed to it (ep - cp).  In a worst case scenario, the storage will
   	huh?  man snprintf, 3rd paragraph of the description:
        These functions return the number of characters printed (not including
        the trailing `\0' used to end output to strings).  If an output error was
        encountered, these functions shall return a negative value.


the point is that in the normal truncating case, the return value is
larger than the size of the buffer.  that causes "ep - cp" to become
negative which the unsigned "size_t" that snprintf(3) takes sees as
a very large number.  easy to buffer overflow.  this is why the
implementation has been labled a "false sense of security" change -
it does not actually prevent overflows.



.mrg.