[Libguestfs] RFC: *scanf vs. overflow

Sat May 23 15:25:39 UTC 2020

On 5/23/20 12:06 AM, Richard W.M. Jones via Libc-alpha wrote:

> https://github.com/libguestfs/nbdkit/blob/b23f4f53cf71326f1dba481f64f7f182c20fa3dc/plugins/data/format.c#L171-L172

> We can only do this safely where we can prove that overflow does not
> matter.

Yes, this is exactly the sort of usage that I had in mind. In the following
example, which is the first use of *scanf I saw, if scanf never allowed integer
overflow (that is, it scanned only as much of a number that would fit), this
code would output an error message instead of blithely going on with an
overflowed number, and this would be safer than the code's current behavior.

>       if (sscanf (&value[i], "*%" SCNi64 "%n", &k, &n) == 1) {
>         if (k < 0) {
>           nbdkit_error ("data parameter *N must be >= 0");
>           return -1;
>         }
>         ...
>       } else {
>         nbdkit_error ("')' in data string not followed by '*'");
>         return -1;
>       }