[RFC] _FORTIFY_SOURCE strictness
Siddhesh Poyarekar
siddhesh@gotplt.org
Mon Apr 11 08:02:38 GMT 2022
On 09/04/2022 02:37, Paul Eggert wrote:
> On 4/7/22 23:02, Siddhesh Poyarekar wrote:
>> Hmm, I think I conflated it with something other str* function.
>> You're right, strncpy probably doesn't fall into this category.
>
> Ouch, I made the same mistake.
>
> As for wcrtomb, unfortunately the standard's wording appears to allow
> you to pass an output buffer smaller than MB_CUR_MAX if you know that
> the multibyte character will fit into the smaller buffer. So I guess
> this is an example of a function where __FORTIFY_LEVEL > 2 doesn't
> conform to the standard.
>
> I don't know whether the standard's authors intended this.
>
Thomas (in cc, he maintains ncurses) found that the manual documents[1]
the fact that the glibc implementation of wcrtomb assumes the
destination buffer to have at least MB_CUR_MAX bytes, so this looks more
like a situation where we *deliberately* deviate from the standard.
If we decide to comply with the standard now we would incur an
additional copy from an internal buffer to the destination with in
addition to wrappers to pass the object size from the checking variant
whenever available. The question then is whether that's the direction
we want to take in glibc.
Siddhesh
[1]
https://www.gnu.org/software/libc/manual/html_node/Converting-a-Character.html
More information about the Libc-alpha
mailing list