Wireshark-bugs: [Wireshark-bugs] [Bug 12093] Insecure use of sprintf functions
Date: Sun, 07 Feb 2016 07:01:13 +0000

changed bug 12093


What Removed Added
Status UNCONFIRMED INCOMPLETE
Ever confirmed   1

Comment # 1 on bug 12093 from
Presumably your static analyzer understands C++, and the QString class in C++,
and understands that the code about which it's complaining is *NOT* calling the
C language's sprintf() function, and is only complaining because, as the
documentation of the sprintf method of the String class:

    http://doc.qt.io/qt-4.8/qstring.html#sprintf

says:

    Warning: We do not recommend using QString::sprintf() in new Qt code.
Instead, consider using QTextStream or arg(), both of which support Unicode
strings seamlessly and are type-safe.

and is *NOT* doing something silly such as believing that this is formatting
text into a fixed-size buffer - because there is no fixed-size buffer involved
here and no buffer overflow involved either, as the documentation of the
sprintf method clearly indicates.

(Oh, and the format string in those calls *is* constant.  If the static
analyzer doesn't understand *that*, please replace it with a static analyzer
that *isn't* complete crap when fed C++ code.)


You are receiving this mail because:
  • You are watching all bug changes.