[R-pkg-devel] Check warning around sprintf: Compiled code should not call entry points which might terminate R nor write to stdout/stderr instead of to the console, nor use Fortran I/O nor system RNGs nor [v]sprintf.

Mon Nov 20 10:06:34 CET 2023

The n in snprintf includes the room for the terminating nul. It should be
8191. If gcc is throwing a warning, it can be ignored.

On Mon, Nov 20, 2023, 04:04 Serguei Sokol <serguei.sokol using gmail.com> wrote:

> Le 19/11/2023 à 02:07, Iris Simmons a écrit :
> > Yes, the reason for the error is the use of sprintf. You can instead use
> > snprintf where n is the maximum number of bytes to write, including the
> > terminating nul character. For example:
> >
> > char msg[8191];
> > snprintf(msg, 8191, "criteria: error (%d) -> %s\n", inErr, errStr);
> This line should be
>
> snprintf(msg, 8190, "criteria: error (%d) -> %s\n", inErr, errStr);
>
> i.e. 1-less than 'msg' size, leaving a room for the terminal 0-byte.
> Otherwise, a recent version of gcc emits a warning caught by CRAN.
>
> Best,
> Serguei.
>
>
> > Rf_error(msg);
> >
> > or however large you made the error string.
> >
> >
> > On Sat, Nov 18, 2023, 20:01 Iago Giné-Vázquez <
> iago.gin-vaz using protonmail.com>
> > wrote:
> >
> >> Dear all,
> >>
> >> I am updating a CRAN-archived R package, so it can get back to CRAN. But
> >> there is a warning produced in Linux OS that I am not sure to understand
> >> and I do not know how to solve, even after looking at ‘Writing portable
> >> packages’ in the ‘Writing R Extensions’ manual and after searching in
> the
> >> web. The warning is
> >>
> >>> * checking compiled code ... WARNING
> >>> File ‘ccckc/libs/ccckc.so’:
> >>> Found ‘sprintf’, possibly from ‘sprintf’ (C)
> >>> Object: ‘criteria.o’
> >>>
> >>> Compiled code should not call entry points which might terminate R nor
> >>> write to stdout/stderr instead of to the console, nor use Fortran I/O
> >>> nor system RNGs nor [v]sprintf.
> >>> See ‘Writing portable packages’ in the ‘Writing R Extensions’ manual.
> >>
> >> The package contains both C and Fortran code and in the criteria.c there
> >> is only a sprintf use, as follows:
> >>
> >> sprintf(msg,"criteria: error (%d) -> %s\n", inErr, errStr);
> >> Rf_error(msg);
> >> May be the reason of the warning the next line the ‘Writing R
> Extensions’
> >> manual?
> >>
> >>> Use ofsprintfandvsprintfis regarded as a potential security risk and
> >> warned about on some platforms.[82](
> >> https://cran.r-project.org/doc/manuals/R-exts.html#FOOT82)R CMD
> >> checkreports if any calls are found.
> >>
> >> If that is the reason, is there any alternative to the use of sprintf?
> >> Anyway, what can I do?
> >>
> >> Thanks you in advance for your time.
> >>
> >> Kind regards,
> >> Iago
> >>
> >> Sent with [Proton Mail](https://proton.me/) secure email.
> >>          [[alternative HTML version deleted]]
> >>
> >> ______________________________________________
> >> R-package-devel using r-project.org mailing list
> >> https://stat.ethz.ch/mailman/listinfo/r-package-devel
> >>
> >
> >       [[alternative HTML version deleted]]
> >
> > ______________________________________________
> > R-package-devel using r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-package-devel
>
> ______________________________________________
> R-package-devel using r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-package-devel
>

	[[alternative HTML version deleted]]