From cc8fdaee1eeaf05d8dd55ff11f111b815f673c58 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 24 Jul 2018 05:27:19 -0400 Subject: [PATCH] banned.h: mark sprintf() as banned The sprintf() function (and its variadic form vsprintf) make it easy to accidentally introduce a buffer overflow. If you're thinking of using them, you're better off either using a dynamic string (strbuf or xstrfmt), or xsnprintf if you really know that you won't overflow. The last sprintf() call went away quite a while ago in f0766bf94e (fsck: use for_each_loose_file_in_objdir, 2015-09-24). Note that we respect HAVE_VARIADIC_MACROS here, which some ancient platforms lack. As a fallback, we can just "guess" that the caller will provide 3 arguments. If they do, then the macro will work as usual. If not, then they'll get a slightly less useful error, like: git.c:718:24: error: macro "sprintf" passed 3 arguments, but takes just 2 That's not ideal, but it at least alerts them to the problem area. And anyway, we're primarily targeting people adding new code. Most developers should be on modern enough platforms to see the normal "good" error message. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- banned.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/banned.h b/banned.h index 34f22a4c25..ad0d36dc9f 100644 --- a/banned.h +++ b/banned.h @@ -15,4 +15,14 @@ #undef strcat #define strcat(x,y) BANNED(strcat) +#undef sprintf +#undef vsprintf +#ifdef HAVE_VARIADIC_MACROS +#define sprintf(...) BANNED(sprintf) +#define vsprintf(...) BANNED(vsprintf) +#else +#define sprintf(buf,fmt,arg) BANNED(sprintf) +#define vsprintf(buf,fmt,arg) BANNED(sprintf) +#endif + #endif /* BANNED_H */