Defect report #428

Defect Report #428

Previous Defect Report < - > Next Defect Report

Submitter: Douglas Walls
Submission Date: 2013-02-11
Source: WG 14
Reference Document: N1672
Version: 1.1
Date: October 2013
Subject: runtime-constraint issue with sprintf family of routines in Annex K

Summary

snprintf_s (Annex K.3.5.3.5)

In the "Runtime-constraints" section, K.3.5.3.5p2 first sentence it says:

"Neither s nor format shall be a null pointer. n shall neither equal
zero nor be greater than RSIZE_MAX."

So,
    if (n == 0 || n > RSIZE_MAX)
        /* runtime constraints violation */

This is clear. However the next paragraph K.3.5.3.5p3, says this about "s":

"If there is a runtime-constraint violation, then if s is not a null
pointer and n is greater than zero and less than RSIZE_MAX, then the
snprintf_s function sets s[0] to the null character."

So, it takes action when (n < RSIZE_MAX)

        if (s != NULL && n > 0 && n < RSIZE_MAX)
            s[0] = '\0';

Question here is, what if n equals RSIZE_MAX? Should we still reset
s[0]?

If I were to say this looks like a typo, would WG14 agree with me?

That is the text of K.3.5.3.5p3 should be:

If there is a runtime-constraint violation, then if s is not a null
pointer and n is greater than zero and not greater than RSIZE_MAX, then the
snprintf_s function sets s[0] to the null character.

This issue applies to all the sprintf family of routines in Annex K

Suggested Technical Corrigendum

snprintf_s
Replace K.3.5.3.5p3 with:

If there is a runtime-constraint violation, then if s is not a null
pointer and n is greater than zero and not greater than RSIZE_MAX, then the
snprintf_s function sets s[0] to the null character.

sprintf_s
Replace K.3.5.3.6p3 with:

If there is a runtime-constraint violation, then if s is not a null
pointer and n is greater than zero and not greater than RSIZE_MAX, then the
sprintf_s function sets s[0] to the null character.

vsnprintf_s
Replace K.3.5.3.12p3 with:

If there is a runtime-constraint violation, then if s is not a null
pointer and n is greater than zero and not greater than RSIZE_MAX, then the
vsnprintf_s function sets s[0] to the null character.

vsprintf_s
Replace K.3.5.3.13p3 with:

If there is a runtime-constraint violation, then if s is not a null
pointer and n is greater than zero and not greater than RSIZE_MAX, then the
vsprintf_s function sets s[0] to the null character.

Apr 2013 meeting

Committee Discussion

The committee agrees with the assessment and the suggested changes.
There are, however, other places where similar changes are needed.

Oct 2013 meeting

Committee Discussion

Further investigation confirmed that there were several other functions that also need similar corrections to their runtime constraints. All of these additional functions also need additional corrections as specified in DR433, and the full resolution of both this defect and the additional issue will be found in the Proposed Technical Corrigendum of DR433.
That list is:
- K.3.9.1.3 The snwprintf_s function
- K.3.9.1.4 The swprintf_s function
- K.3.9.1.8 The vsnwprintf_s function
- K.3.9.1.9 The vswprintf_s function
- K.3.9.3.2.1 The mbsrtowcs_s function
- K.3.9.3.2.2 The wcsrtombs_s function
It is noted that with these changes that K.3.5.1.2 tmpname_s will have wording inconsistent with respect to these modifications.
Consistent wording would be, in K.3.5.1.2p2 replace "less than or equal to RSIZE_MAX" with "not greater than RSIZE_MAX".
As such, the committee continues to accept unchanged the Proposed Technical Corrigendum as partial fulfillment of this defect, and that full resolution of the other similar defects will be found in DR433.

Proposed Technical Corrigendum

Previous Defect Report < - > Next Defect Report