> Maybe now that the brain-deadness of {v}sprintf() has finally bitten
> people in the syslog brouha, those routines could print a warning a
> la gets().  I think not because: the problem with gets() has been
> known from early days and fgets() is available as the routine which
> should be used.  {v}sprintf() may not be as widely used, but there
> was simply no alternative until(?) 4.4's {v}snprintf().

Or doing it yourself, which isn't hard if you skip floats.

More to the point, lots of uses of sprintf are perfectly safe, even
though it doesn't take a buffer size parameter.

Consider, for example:

char *make_path(const char *dir, const char *name)
{
 char *buf;

 buf = malloc(strlen(dir)+1+strlen(name)+1);
 if (buf) sprintf(buf,"%s/%s",dir,name);
 return(buf);
}

Of course, this doesn't apply to vsprintf, or at least not nearly as
strongly.

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu