Use of sprintf is seen as a red flag as many of its uses are insecure. OpenBSD warns about it while compiling, and some modern platforms, e.g. cloudlibc from cloudabi don't even provide it anymore.
Although our uses of these functions are secure, it can't hurt to replace them anyway. There are only 4 occurences of which 3 in the tests.
utACK.
21 | @@ -22,7 +22,7 @@ std::string base_blob<BITS>::GetHex() const 22 | { 23 | char psz[sizeof(data) * 2 + 1]; 24 | for (unsigned int i = 0; i < sizeof(data); i++) 25 | - sprintf(psz + i * 2, "%02x", data[sizeof(data) - i - 1]); 26 | + snprintf(psz + i * 2, 3, "%02x", data[sizeof(data) - i - 1]);
This is a little bit sketchy. Could it not safely be 2 here, not 3?
NUL term needs a 3rd byte.
For others http://www.cplusplus.com/reference/cstdio/snprintf/
A terminating null character is automatically appended after the content written.
Hence, 2 hex characters + 1 null character.
It's correct, and it's also why snprintf isn't an especially safe function call. (replaces one class of issue with another more subtle one)
It's correct, and it's also why snprintf isn't an especially safe function call. (replaces one class of issue with another more subtle one)
Indeed, that's why we never use it. The go-to function we have for this is "strprintf". However, it's kind of high overhead for formatting two hex characters. Especially as this function is called a lot.
I'll just replace this with use of HexDigit instead.
Concept ACK for general sanity, though I'm pretty sure there is no reason we should go out of our way to support libcs that are deliberately broken.
Concept ACK for general sanity, though I'm pretty sure there is no reason we should go out of our way to support libcs that are deliberately broken.
Somewhat tend to agree, though there is something to be said for deprecating unsafe functions that have caused so much pain since the 80's. They do the same with system calls, trying to keep the API (anda attack surface) as minimalist as possible.
Force-pushed into two commits:
25 | - sprintf(psz + i * 2, "%02x", data[sizeof(data) - i - 1]); 26 | - return std::string(psz, psz + sizeof(data) * 2); 27 | + static const char *hex_chars = "0123456789abcdef"; 28 | + std::string retval; 29 | + retval.reserve(sizeof(data) * 2); 30 | + for (unsigned int i = 0; i < sizeof(data); i++) {
why not size_t?
Meh. For loop counters it's generally enough to use a 32-bit type. Especially if you know you're only going to count to 64, ever.
28 | + std::string retval; 29 | + retval.reserve(sizeof(data) * 2); 30 | + for (unsigned int i = 0; i < sizeof(data); i++) { 31 | + uint8_t value = data[sizeof(data) - i - 1]; 32 | + retval.push_back(hex_chars[value >> 4]); 33 | + retval.push_back(hex_chars[value & 0xf]);
edit: fail
But incorrect.
nit: maybe emplace rather than push (potentially saves an initialization) @dcousens can you not delete your feedback? I had to dig in my emails to see that I wasn't repeating your feedback.
Do you really think there's anything to be gained by emplacing a char? I'd say something has to be really wrong for that to make a difference.
Anyhow I have a better solution based on reverse_iterator coming, so no need to discuss this further.
I'm pretty sure that the copy constructor and move constructor for a char are the same, so emplace wouldn't make a difference.
@JeremyRubin I made a woefully incorrect suggestion in regards to the bitmasking.
retval.push_back(hex_chars[value & 0xf0]);
retval.push_back(hex_chars[value & 0x0f]);
@dcousens no worries we all have our dumb moments.
19 | @@ -20,10 +20,15 @@ base_blob<BITS>::base_blob(const std::vector<unsigned char>& vch)
20 | template <unsigned int BITS>
21 | std::string base_blob<BITS>::GetHex() const
Possibly we could even use HexStr here with a reverse_iterator, though I don't know how to do that for a C-style array. All the variations I can think of are much worse than just replicating this functionality here. Edit: found it out, it's simple!
#include "stdio.h"
#include <iterator>
int main() {
char a[2] = {'a', 'b'};
auto start = std::reverse_iterator<char *>(&a[2]);
auto end = std::reverse_iterator<char *>(&a[0]);
while (start != end)
printf("%c", *(start++));
}
Outputs:
ba
Yes, thanks, I'm aware, see the new version of this patch.
ha -- and here I was thinking you coded it after I commented and I was like "wow, @laanwj is a god amongst men in code response times" ;)
Yes, I implemented it in minus 3 minutes! Truly godlike :-)
Instead of calling sprintf for every byte, format the hex bytes
ourselves by help of HexStr and a reverse_iterator.
Use of `sprintf` is seen as a red flag as many of its uses are insecure.
OpenBSD warns about it while compiling, and some modern platforms, e.g.
[cloudlibc from cloudabi](https://github.com/NuxiNL/cloudlibc) don't
even provide it anymore.
Although our uses of these functions are secure, it can't hurt to
replace them anyway. There are only 3 occurences left, all in the
tests.
There you go, a one-liner now.
utACK 19cafc6
utACK 19cafc6
utACK
re-utACK.
utACK 19cafc6
utACK 19cafc6239abd14f2b9c3d883dc7df0472cac52b