bug-gnulib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: best way to deal with macOS deprecation of sprintf?

From: Jeffrey Walton
Subject: Re: best way to deal with macOS deprecation of sprintf?
Date: Thu, 3 Nov 2022 15:43:50 -0400 
On Thu, Nov 3, 2022 at 3:23 PM Paul Eggert <eggert@cs.ucla.edu> wrote:
>
> As noted in <https://bugs.gnu.org/58966>, macOS 13.0 has deprecated
> sprintf, on the grounds that buffer overflow happens too often with it.
> As a result, compilers will complain about any calls to sprintf, even if
> you don't configure with --enable-gcc-warnings. I assume vsprintf is
> similar.
>
> This macOS change runs afoul of common practice in Gnulib and Gnu
> programs, which is to allocate a buffer of appropriate size and then
> sprintf into it.
>
> Here are some ways we can respond to Apple's deprecation of sprintf.
>
> 0. Do nothing. That's what we did when Microsoft deprecated sprintf in
> 2005 (in favor of sprintf_s), and the world rolled along much as it did
> before.
>
> 1. Stop using sprintf in Gnulib and Gnu apps. I'm not inclined to do
> this, as it's makework and is likely to introduce bugs; plus, it's a tad
> slower.
>
> 2a. Add a Gnulib module sprintf-pacify that puts a "#pragma GCC
> diagnostic ignored "-Wdeprecated-declarations"' in Gnulib's stdio.h if
> that pacifies a false alarm about sprintf. Have sprintf-posix depend on
> this new module. Something like this in gnulib/lib/stdio.h, perhaps:
>
>    #if @PACIFY_SPRINTF_DEPRECATION@
>    # pragma GCC diagnostic push
>    # pragma GCC diagnostic ignored "-Wdeprecated-declarations"
>    int
>    gl_vsprintf (char *restrict str, char const *restrict fmt, va_list ap)
>    {
>      return vsprintf (str, fmt, ap);
>    }
>    int
>    gl_sprintf (char *restrict str, char const *restrict fmt, ...)
>    {
>      va_list ap;
>      va_start (ap, format);
>      int n = vsprintf (str, format, ap);
>      va_end (ap);
>      return n;
>    }
>    # pragma GCC diagnostic pop
>    # define sprintf gl_sprintf
>    # define vsprintf gl_vsprintf
>    #endif
>
> 2b. Like (2a), but simply put -Wno-deprecated-declarations in CFLAGS
> instead of into gnulib's lib/stdio.h.
>
> 3. Don't bother with a new module; simply add the functionality to the
> existing sprintf-posix module.
>
> I'm somewhat inclined to go with (2a), as GNU Emacs doesn't use
> sprintf-posix and presumably doesn't want its complexity, whereas it
> could use sprintf-pacify instead of the homebrew (2b)-like solution
> recently installed there. A downside of (2b) is that
> -Wno-deprecated-declarations would apply to all code compiled on macOS,
> not just calls to sprintf and vsprintf; however, (2b) is simpler and
> less likely to go wrong.
>
> Comments?

A few small comments, nothing really material.

Apple deprecated sprintf starting at MacOS 10.12.[1] Apple considers
vsprintf insecure, too.[2] Apple considers snprintf a secure
replacement.[2]

Apple's Secure Coding Guide says you can use snprintf or asprintf, if
you wish.[3] (And vsnprintf or vasprintf for vsprintf).

snprintf is kind of a lame for a replacement since it backfills the
buffer with all 0's. But at least their suggested replacement is not
part of Cocoa or other Apple framework.

Jeff

[1] https://developer.apple.com/documentation/kernel/1441083-sprintf
[2] 
https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/sprintf.3.html
[3] 
https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html
reply via email to
[Prev in Thread] Current Thread [Next in Thread]