[R-pkg-devel] Check warning around sprintf: Compiled code should not call entry points which might terminate R nor write to stdout/stderr instead of to the console, nor use Fortran I/O nor system RNGs nor [v]sprintf.

Serguei Sokol @ergue|@@oko| @end|ng |rom gm@||@com
Mon Nov 20 10:04:10 CET 2023


Le 19/11/2023 à 02:07, Iris Simmons a écrit :
> Yes, the reason for the error is the use of sprintf. You can instead use
> snprintf where n is the maximum number of bytes to write, including the
> terminating nul character. For example:
> 
> char msg[8191];
> snprintf(msg, 8191, "criteria: error (%d) -> %s\n", inErr, errStr);
This line should be

snprintf(msg, 8190, "criteria: error (%d) -> %s\n", inErr, errStr);

i.e. 1-less than 'msg' size, leaving a room for the terminal 0-byte.
Otherwise, a recent version of gcc emits a warning caught by CRAN.

Best,
Serguei.


> Rf_error(msg);
> 
> or however large you made the error string.
> 
> 
> On Sat, Nov 18, 2023, 20:01 Iago Giné-Vázquez <iago.gin-vaz using protonmail.com>
> wrote:
> 
>> Dear all,
>>
>> I am updating a CRAN-archived R package, so it can get back to CRAN. But
>> there is a warning produced in Linux OS that I am not sure to understand
>> and I do not know how to solve, even after looking at ‘Writing portable
>> packages’ in the ‘Writing R Extensions’ manual and after searching in the
>> web. The warning is
>>
>>> * checking compiled code ... WARNING
>>> File ‘ccckc/libs/ccckc.so’:
>>> Found ‘sprintf’, possibly from ‘sprintf’ (C)
>>> Object: ‘criteria.o’
>>>
>>> Compiled code should not call entry points which might terminate R nor
>>> write to stdout/stderr instead of to the console, nor use Fortran I/O
>>> nor system RNGs nor [v]sprintf.
>>> See ‘Writing portable packages’ in the ‘Writing R Extensions’ manual.
>>
>> The package contains both C and Fortran code and in the criteria.c there
>> is only a sprintf use, as follows:
>>
>> sprintf(msg,"criteria: error (%d) -> %s\n", inErr, errStr);
>> Rf_error(msg);
>> May be the reason of the warning the next line the ‘Writing R Extensions’
>> manual?
>>
>>> Use ofsprintfandvsprintfis regarded as a potential security risk and
>> warned about on some platforms.[82](
>> https://cran.r-project.org/doc/manuals/R-exts.html#FOOT82)R CMD
>> checkreports if any calls are found.
>>
>> If that is the reason, is there any alternative to the use of sprintf?
>> Anyway, what can I do?
>>
>> Thanks you in advance for your time.
>>
>> Kind regards,
>> Iago
>>
>> Sent with [Proton Mail](https://proton.me/) secure email.
>>          [[alternative HTML version deleted]]
>>
>> ______________________________________________
>> R-package-devel using r-project.org mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-package-devel
>>
> 
> 	[[alternative HTML version deleted]]
> 
> ______________________________________________
> R-package-devel using r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-package-devel



More information about the R-package-devel mailing list