Good Code
The good version uses snprintf, passes the buffer size, and treats truncation as a failure. The caller receives a result code instead of a silently shortened label.
Lesson 02
Buffer bounds and formatted output
Use bounded formatting APIs and check their return values before treating a fixed buffer as complete.
- buffers
- bounds
- formatting
Good Code
src/review_label.c#include <stddef.h>
#include <stdio.h>
int format_review_label(char *dst, size_t dst_size, int id)
{
// snprintf reports when the label does not fit.
int written = snprintf(dst, dst_size, "review-%d", id);
if (written < 0 || (size_t) written >= dst_size) {
return -1;
}
return 0;
}Bad Code
review_label.c#include <stdio.h>
void format_review_label(char *dst, int id)
{
// sprintf cannot see the destination size.
sprintf(dst, "review-%d", id);
}Review Notes
What to review
Bad Code
The bad version uses sprintf, so the function cannot prove the destination is large enough. A longer id can overwrite adjacent memory.
Takeaways
- A bounded write still needs a return-value check, because truncation can be a data bug rather than a safe result.