RFC: *scanf vs. overflow
Richard W.M. Jones
rjones@redhat.com
Sat May 23 07:06:54 GMT 2020
The context to this is that nbdkit uses sscanf to parse simple file
formats in various places, eg:
https://github.com/libguestfs/nbdkit/blob/b23f4f53cf71326f1dba481f64f7f182c20fa3dc/plugins/data/format.c#L171-L172
https://github.com/libguestfs/nbdkit/blob/b23f4f53cf71326f1dba481f64f7f182c20fa3dc/filters/ddrescue/ddrescue.c#L98
We can only do this safely where we can prove that overflow does not
matter. In other cases we've had to change sscanf uses to strto* etc
which is much more difficult to use correctly. Just look at how much
code is required to wrap strto* functions to use them safely:
https://github.com/libguestfs/nbdkit/blob/b23f4f53cf71326f1dba481f64f7f182c20fa3dc/server/public.c#L113-L296
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the Libc-alpha
mailing list