Jeremy Evans:
In updating the Scintilla and SciTE ports to 1.70 for OpenBSD, I've done a code audit and replaced the insecure string handling functions (strcat, strcpy, sprintf) with the secure ones (strlcat, strlcpy, snprintf, respectively). Hopefully these security fixes can be applied to future versions of Scintilla and SciTE.
Scintilla is a cross platform project and supports multiple compilers and runtime libraries. The currently supported compilers include, on Windows, MinGW 3.1, Borland 5.5 and Microsoft Visual Studio 2003, none of which include strlcat or strlcpy and Microsoft calls snprintf "_snprintf". There is an ISO working group looking at standardising bounds checking functions and eventually this will be possible in a cross platform manner. Visual Studio 2005 has its own set of bounds checking functions (strcat_s, strcpy_s, _snprintf_s): http://msdn2.microsoft.com/en-us/library/wd3wzwts.aspx Trying to support each possibility with strlcat or strcat_s or no bounds checking function would be overly messy and is more likely to create bugs than fix them. I won't be incorporating patches that will not compile with the above compilers or with GCC 4.1. Neil _______________________________________________ Scintilla-interest mailing list [email protected] http://mailman.lyra.org/mailman/listinfo/scintilla-interest
