X-Authentication-Warning: delorie.com: mailnull set sender to djgpp-bounces using -f
Message-ID: <3C14CD57.F9EEB80B@iedu.com>
From: Morris Dovey <mrdovey AT iedu DOT com>
Organization: Mission-Critical Systems
X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.0.36 i686)
X-Accept-Language: en, fr, pt, ru, es
MIME-Version: 1.0
Newsgroups: comp.lang.c,comp.os.msdos.djgpp,comp.lang.c++
Subject: Re: String substitution to another
References: <3C151123 DOT D1E94FE8 AT surfeu DOT fi> <3c149894 DOT 7181858 AT news DOT tiscali DOT nl> <9v2knf$htt$0 AT 216 DOT 39 DOT 135 DOT 9>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Lines: 28
Date: Mon, 10 Dec 2001 09:57:27 -0500
NNTP-Posting-Host: 63.224.188.25
X-Trace: news.uswest.net 1007999892 63.224.188.25 (Mon, 10 Dec 2001 09:58:12 CST)
NNTP-Posting-Date: Mon, 10 Dec 2001 09:58:12 CST
To: djgpp AT delorie DOT com
DJ-Gateway: from newsgroup comp.os.msdos.djgpp
Reply-To: djgpp AT delorie DOT com

Aaron Evans wrote:

> how is
> 
> gets(filename) || length > MAXLINELENGTH
> 
> more dangerous than
> 
> fgets (strline, MAXLINELENGTH, fileptr);

Aaron...

gets(buffer) accepts input of /any/ length - without
consideration for the actual length of the buffer (it will
happily attempt to read a megabyte into a 10-char area). The best
possible result of overflowing the buffer is that the program
crashes. The worst possible result would be a hostile input /not/
crashing the program; and causing the system to take destructive
actions such as trashing the hard disk, erasing any NVRAMS, and
sending insulting messages in your name to your boss.

The cost of not using gets() is low. The cost of using it could
be high.

HTH
-- 
Morris Dovey
West Des Moines, Iowa USA