Hi Matt, In ODEINT it's called in max_step_checker.hpp. ``` const int m_max_steps; ... char error_msg[200]; std::sprintf(error_msg, "Max number of iterations exceeded (%d).", m_max_steps); ... char error_msg[200]; std::sprintf(error_msg, "Max number of iterations exceeded (%d).", m_max_steps); ``` It looks to me that neither of these uses could possibly overflow, but for whatever reason people have latched onto the idea that sprintf should never be used. Cheers, Justin ________________________________________ From: Matt Borland Sent: Thursday, November 16, 2023 1:49 AM To: Boost users list Cc: McGrath, Justin M Subject: Re: [Boost-users] Could sprintf be replaced with snprintf? On Wed, Nov 15, 2023 at 17:56, McGrath, Justin M via Boost-users > wrote: I am using some Boost libraries in a code base that does not want any use of sprintf. An automatic test flags any calls to it or vsprintf. Is it possible to replace all uses of sprintf with snprintf? I really doubt there are actually any security issues here, but I'm hoping this wouldn't be too difficult or cause any problems other than the effort to do it. Cheers, Justin _______________________________________________ Boost-users mailing list Boost-users@lists.boost.org https://lists.boost.org/mailman/listinfo.cgi/boost-usershttps://urldefense.com/v3/__https://lists.boost.org/mailman/listinfo.cgi/boo... Justin, Which libraries are you using that have that issue? Matt

Thanks Matt. ________________________________________ From: Matt Borland Sent: Thursday, November 16, 2023 9:32 AM To: McGrath, Justin M Cc: Boost users list; mario.mulansky@gmx.net Subject: Re: [Boost-users] Could sprintf be replaced with snprintf? On Nov 16, 2023, at 4:22 PM, McGrath, Justin M wrote: Hi Matt, In ODEINT it's called in max_step_checker.hpp. ``` const int m_max_steps; ... char error_msg[200]; std::sprintf(error_msg, "Max number of iterations exceeded (%d).", m_max_steps); ... char error_msg[200]; std::sprintf(error_msg, "Max number of iterations exceeded (%d).", m_max_steps); ``` It looks to me that neither of these uses could possibly overflow, but for whatever reason people have latched onto the idea that sprintf should never be used. Cheers, Justin Justin, It looks like someone filed a PR about a year ago to fix that: https://github.com/boostorg/odeint/pull/58https://urldefense.com/v3/__https://github.com/boostorg/odeint/pull/58__;!!D... , but the last commit to ODEINT is spring of 2019. I cc’ed the maintainer so hopefully he sees this. Matt

On Nov 29, 2023, at 9:39 PM, McGrath, Justin M wrote:

Hi Matt, It's been a while and I haven't heard from Mario. I tried a different email address I found on this CV, but didn't get a reply, and I can't find any contact information for Karsten Ahnert. Do you have other ideas about how to contact them, or could someone else step in as a maintainer?

Best wishes, Justin

Justin, I found Karsten’s email and CCed him here. Hopefully he is willing to merge: https://github.com/boostorg/odeint/pull/58. As for fostering libraries I am not familiar with the process, but would be willing to step in if we continue to get no response. Matt