[SDL] Re: SDL Digest, Vol 11, Issue 33
Jeff
j_post at pacbell.net
Wed Mar 30 05:42:39 PST 2005
On Tuesday 29 March 2005 07:57 pm, David Olsen wrote:
> This sounds very scary, indeed. What does one need to do in order to avoid
> such potential disaster? Refrain entirely from printf, etc.?
>
Ack, no! printf() is God's gift to debugging ;-) Your program has control
over what arguments are sent to printf. The potential for exploits comes from
user input (eg: scanf, strcpy, etc). Your program should check for possible
buffer overflows, suspicious format specifiers in the input, etc. Simple
example:
if (strlen(source) >= BufferSize)
error("Whoops! Input too big!");
else
strcpy(buffer, source);
scanf() and fscanf() should be avoided for other reasons also. Unless input
is coming from a file with known format, it's better to write your own input
parsing routines.
HTH,
Jeff
More information about the SDL
mailing list