ISO/ IEC JTC1/SC22/WG14 N614


                     Document Number:  WG14 N614/X3J11 96-078


                        C9X Revision Proposal
                        =====================

Title: Alternative to sprintf
Author: Douglas A. Gwyn
Author Affiliation: United States Army Research Laboratory
Postal Address: 801-L Cashew Court, Bel Air, MD 21014, USA
E-mail Address: gwyn@arl.mil
Telephone Number: +1 410-278-8945
Fax Number: +1 410-278-2934
Original Author: Keith Bostic
Author Affiliation: University of California, Berkeley
Postal Address: 394 East Riding Dr., Carlisle, MA 01741, USA
E-mail Address: bostic@cs.berkeley.edu
Telephone Number: +1 508-287-4781
Fax Number:
Sponsor: X3J11
Date: 1996-09-13
Document History:  1995-05-17: WG14/N430 & X3J11/95-031
	(original proposal from Bostic) received a favorable
	response from WG14, but further development was
	suggested; Gwyn volunteered to champion the issue,
	and this is the revised proposal.
Proposal Category:
   __ Editorial change/non-normative contribution
   __ Correction
   x_ New feature
   __ Addition to obsolescent feature list
   __ Addition to Future Directions
   __ Other (please specify)
Area of Standard Affected:
   __ Environment
   __ Language
   __ Preprocessor
   x_ Library
      __ Macro/typedef/tag name
      x_ Function
      x_ Header
   __ Other (please specify)
Prior Art: 4.4BSD snprintf and Plan 9 snprint functions
Target Audience: all C programmers
Related Documents (if any): C89 7.9.6.5 and 7.9.6.9
Proposal Attached: x_ Yes __ No, but what's your interest?
Abstract: The current sprintf function and the closely
	related vsprintf function are very useful, but
	can overrun the output buffer.  This behavior has
	been exploited in various attacks on computer and
	network security.  A version that performs bounds
	checking is highly desirable; such implementations
	do exist, and standardization of this facility
	would be helpful in producing portable robust code.

Proposal: The intent is to add functions analogous to the
	existing sprintf and vsprintf (which would continue
	to be specified in C9x, since existing strictly
	conforming code depends on them), that add bounds
	checking but otherwise act the same as the existing
	functions.

	Add new subsection after 7.9.6.5 The sprintf function:

		7.9.6.5-and-a-half The snprintf function

		Synopsis

			#include <stdio.h>
			int snprintf(char *s, size_t n, const
				char *format, ...);

		Description

		The snprintf function is equivalent to fprintf,
		except that the argument s specifies an array
		into which the generated output is to be written,
		rather than to a stream.  Output characters
		beyond the n-1st are discarded rather than being
		written to the array.  A null character is
		written at the end of the characters actually
		written into the array.  If copying takes place
		between objects that overlap, the behavior is
		undefined.

		Returns

		The snprintf function returns the number of
		characters that would have been written had n
		been sufficiently large, not counting
		the terminating null character.  Thus, output
		has been discarded if and only if the returned
		value is n or more.

	Add new subsection after 7.9.6.9 The vsprintf function:


		7.9.6.9-and-a-half The vsnprintf function

		Synopsis

			#include <stdarg.h>
			#include <stdio.h>
			int vsnprintf(char *s, size_t n, const
				char *format, va_list arg);

		Description

		The vsnprintf function is equivalent to
		snprintf, with the variable argument list
		replaced by arg, which shall have been
		initialized by the va_start macro (and possibly
		subsequent va_arg calls).  The vsnprintf function
		does not invoke the va_end macro [MODIFIED
		FOOTNOTE 136:  As the functions vfprintf,
		vsprintf, vnsprintf, and vprintf invoke the
		va_arg macro, the value of arg after the return
		is indeterminate.]  If copying takes place
		between objects that overlap, the behavior is
		undefined.

		Returns

		The vsnprintf function returns the number of
		characters that would have been written had n
		been sufficiently large, not counting
		the terminating null character.  Thus, output
		has been discarded if and only if the returned
		value is n or more.

	(I realize that this breaks the alphabetic order of
	the subsections.  Logical ordering is more important.)

	In the Rationale document, the new subsection after
	7.9.6.5 should read:

		7.9.6.5-and-a-half The snprintf function

		The sprintf function is very useful, but
		can overrun the output buffer; that has been
		exploited in attacks on computer and network
		security.  C9x addresses this problem by adding
		the snprintf function, modeled after the 4.4BSD
		version, which performs bounds checking on the
		output array.