-
Notifications
You must be signed in to change notification settings - Fork 87
SDL List of Banned Functions
Dave W edited this page Apr 25, 2016
·
38 revisions
The following list of functions in the table includes the recommended replacement from the Safe Strings library, or for cases where an alternate library function is not available/appropriate, directions for using a function from the standard C library is provided. Banned functions in orange are new additions to the banned C list; functions in blue are not banned, but recommended to be replaced with safer alternatives.
| Banned Function | Replacement Function |
|---|---|
|
alloca() _alloca() |
use malloc() or new() which create memory on the heap, instead of the alloc functions which allocate memory on the stack, as alloc can allow damage to stack frames |
|
scanf() wscanf() sscanf() swscanf() vscanf() vsscanf() |
use fgets() instand of scanf() functions |
|
strlen() wcslen() |
strnlen_s() wcsnlen_s() |
|
strtok() strtok_r() wcstok() |
strtok_s() |
|
strcat() strncat() wcscat() wcsncat() |
strcat_s(), strncat_s(), strlcat() wcscat_s(), wcsncat_s() |
|
strcpy() strncpy() wcscpy() wcsncpy() |
strcpy_s() strncpy_s(), strlcpy() wcscpy_s() wcsncpy_s() |
|
memcpy() wmemcpy() |
memcpy_s() wmemcpy_s() |
|
stpcpy() stpncpy() wcpcpy() wcpncpy() |
stpcpy_s() stpncpy_s() wcpcpy_s() wcpncpy_s() |
|
memmove() wmemmove() |
memmove_s() wmemmove_s() |
|
memcmp() wmemcmp() |
memcmp_s() wmemcmp_s() |
|
memset() wmemset() |
memset_s() wmemset_s() |
| gets() | use fgets() instead |
|
sprintf() vsprintf() swprintf() vswprintf() |
use snprintf() or one of the specialized (non-varg) versions in the safe string library |
|
snprintf() vsnprintf() |
Consider using a wrapper function that avoids the vargs construct and uses compile-time checks on the parameters passed into snprintf(). See example functions in the SeCoE Safe String library. |
| realpath() | continue to use realpath() but use NULL for the second parameter to force allocation of an appropriate sized buffer on the heap. |
|
getwd() |
use getcwd() instead because it checks the buffer size |
|
wctomb() wcrtomb() wcstombs() wcsrtombs() wcsnrtombs() |
The wide-character to multi-byte string conversion routines can create buffer overflows, but currently no alternatives are provided. If it is determined that alternatives are needed for Intel code, these will be added to the SeCoE library extensions. |