Closed morgant closed 3 years ago
I have converted all the sprintf()
calls that used string formats to snprintf()
calls. I didn't convert any of the calls using numerical formats as it was explained to me that there wasn't a buffer overrun issue with those (please correct me if wrong).
I also see a couple strcat()
calls that should probably be replaced with snprintf()
calls.
I was tempted to replace the strcat()
calls with strlcat()
from OpenBSD, but I didn't want to include another dependency on non-OpenBSD platforms, so went with snprintf()
. This is how fvwm
on OpenBSD does it and mlvwm
was originally based on fvwm
, so it feels right.
Further discussion of the options, including OpenBSD's strlcat()
can be found in Efficient string copying and concatenation in C.
I haven't run into any issues with my — admittedly light — testing so far, so l merged in these changes.
Much of the code still uses
sprintf()
, but should usesnprintf()
instead to prevent potential buffer overflows.