[Announce] GnuPG 1.4 and 2.0 buffer overflow

Werner Koch wk at gnupg.org
Wed Nov 29 15:28:13 CET 2006

On Wed, 29 Nov 2006 11:52, christianbiere at gmx.de said:

> similar to asprintf() that takes no format string but simply a variable number of string arguments

Well in that concrete case that would be a good idea.  However the
sentinel attribute is only available since gcc 4 and in the past it
was common to miss the terminating NULL in the arg list ;-)

In general such a function will not help as it gets into the way when
doing i18n.

> Also, asprintf() returns an int instead of size_t. Yet another library function broken by design.

This is perfectly reasonable.  How would you return an error code
with size_t?



More information about the Gnupg-devel mailing list