Comments on: Effective C Tips #1 – Using vsprintf()

By: Nigel Jones

Nigel Jones — Thu, 16 Jun 2011 10:56:39 +0000

Apologies for the delay in moderating the comment - I have been away on holiday. Anyway, thanks for sharing this, as I wasn't aware of the sign extension issue. As a matter of interest, what happens if you use the C99 printf formatters, as described here

By: Atlant

Atlant — Thu, 09 Jun 2011 12:43:30 +0000

I’ll second, err, “third” the comment to always use (v)snprintf(). Without that, it’s too easy for a buffer overflow to sneak up on you.

We had a case recently that Grammatech’s CodeSonar caught for us. We were doing (simplified):

sprintf( five_byte_buffer, “%04X”, uint16_value );

and Code Sonar was telling us that the conversion could overflow the buffer. “Nonsense!” we said, “knowing” that 1) the four bytes output by the “%04X” conversion plus the trailing null character couldn’t be more than five bytes and 2) we’d actually tested all reasonable values of uint16_value from 0×0000 to 0xFFFF and our conversion routine had worked fine.

But it turns out that CodeSonar knew something we didn’t know: the “%x” conversion in some libraries would sign-extend into 32 bits any value being “%x” formatted before doing the formatting and on systems that used *THAT* sort of conversion, “negative” values would then be formatted as eight characters (e.g. “FFFFFFFF”) and *THAT* would blow our buffer. We switched to using snprintf() and that eliminated the buffer overflow. (Code Sonar was still unhappy that on some systems, the conversion would not fit in the buffer (and would be truncated) but since it did fit on our system (and wasn’t truncated), we decided we could live with that.)

Always use the …nprintf() version of the functions!

By: e

Tue, 02 Feb 2010 19:26:49 +0000

I agree wholeheartedly with Mans: use (v)snprintf(). A public domain version is part of sqlite. -- e

By: Mans

Mans — Mon, 01 Feb 2010 22:24:54 +0000

I would argue vsprintf() should never be used due to the risk of buffer overflow. One should always use (v)snprintf(). If your system doesn't have it, steal a BSD licensed one somewhere.

By: Anonymous

Anonymous — Fri, 10 Apr 2009 01:15:00 +0000

oops, I forgot to add that I use stdin/stdout redirection to a custom putchar function that actually does the work of putting the code on to a serial port or LCD screen.

By: Anonymous

Anonymous — Fri, 10 Apr 2009 01:12:00 +0000

What I've done in the past is to use a macro to achieve the roughly the same result.I use this for my DEBUG statements while I'm developing.#if defined(DEBUG_GLOBAL) && defined(DEBUG_LOCAL) #define DEBUG(__format, __args…) do { printf_P( PSTR(__format), ## __args ); } while (0) #else #define DEBUG(__format, __args…)#endif

By: Nigel Jones

Nigel Jones — Tue, 31 Mar 2009 12:13:00 +0000

Mike is quite right. Of course I’m not sure what MISRA expects one to do when one is writing code for a GUI. Although it’s possible to write string formatters without using variable length argument lists, the results typically aren’t pretty. I think this is one of those cases where the cure may be worse than the illness.

By: Michael Barr

Michael Barr — Thu, 12 Feb 2009 08:33:00 +0000

FYI to readers: MISRA-C Rule 16.1 prohibits the creation of functions with variable numbers of arguments. There are risks involved in doing this in a safety-critical system.