On 6 Sep 2018, at 16:05, Gabriel Ivăncescu gabrielopcode@gmail.com wrote:
On Thu, Sep 6, 2018 at 5:51 PM, Huw Davies huw@codeweavers.com wrote:
What does Windows do if it's passed %12s for example?
Huw.
On Windows XP it works fine (Internet Explorer uses it) and shows what you'd expect from %12s. It's mostly for user interaction anyway, so I think Microsoft have some leeway in changing it in each version.
That being said, I honestly don't think that copying security vulnerabilities from Windows is a good idea, even if it's technically "correct". It's not a good idea to crash on such invalid input in my opinion, even if an (unpatched?) Windows version does, especially since said input is external to the application.
I suggest we do the sprintf ourselves. All we'd need to do is replace the first occurrence of '%s' with the appropriate string. We can ignore width/precision specifiers for now unless we find that an app actually depends on them.
Huw.