Converting an int to a string in C, securely

Question

According to a top answer on SO this is what I should do to convert an integer to a string in C:

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <inttypes.h>
#include <math.h>

#define digits(x) ((int)((ceil(log10(abs(x)))+1)*sizeof(char)))

int main () {
    int a = 345908220;
    long b = 23094809284358;
    unsigned int c = 3456789234;
    uint8_t d = 242;
    int64_t e = -840958202029834;

    int dstr_len = digits(a) + digits(b) + digits(c) +
                   digits(d) + digits(e) + 5;

    char dstr[dstr_len];
    sprintf(dstr, "%d %ld %u %u %" PRIu64, a, b, c, d, e);

    printf("%s\n", dstr);

    return 0;
}

However, this seems ridiculously inefficient. I have to link my program to libmath, and make three math calls for every integer that I want to print. Also note that I had to add 5 to my buffer and not just 1 for the NUL terminator, by counting the number of spaces in my format string. This also seems error-prone, and could lead to a buffer overflow.

So, is there any nice, standard function, that will compute the size of my buffer for me?

I'm trying to write secure C.

Answer 1

If your compiler has snprintf() available, you can request the formatted buffer length and then allocate accordingly:

int dstr_len = snprintf(NULL, 0, "%d %ld %u %u %" PRIu64, a, b, c, d, e) + 1;

char dstr[dstr_len];
//
// NOTE: variable-length arrays are NOT supported in all compilers!
// A more portable solution is:
//
// char *dstr = malloc(sizeof(char) * dstr_len);

snprintf(dstr, dstr_len, "%d %ld %u %u %" PRIu64, a, b, c, d, e);

// free(dstr);

Answer 2

You can use snprintf for this. From the manpage:

The functions snprintf() and vsnprintf() do not write more than size bytes (including the teriitminating null byte ('\0')). If the output was truncated due to this limit then the return value is the number of characters (excluding the terminating null byte) which would have been written to the final string if enough space had been available. Thus, a return value of size or more means that the output was truncated.

Thus you can call it with 0 for the size and capture the return value then allocate based on that.

Answer 3

You can use asprintf, which allocates a large enough output string for you.

Don't forget to free the output string, because it is dynamically allocated.

asprintf is available on Mac OSX, Linux, and BSD. The source code is available from Apple if you wish to use it on other platforms.

Example:

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <inttypes.h>

int main () {
    int a = 345908220;
    long b = 23094809284358;
    unsigned int c = 3456789234;
    uint8_t d = 242;
    int64_t e = -840958202029834;

    char *dstr;
    asprintf(&dstr, "%d %ld %u %u %" PRIu64, a, b, c, d, e);
    if (dstr == NULL) {perror(NULL), exit(1);}

    printf("%s\n", dstr);
    free(dstr);

    return 0;
}

Answer 4

Most C "runtime environments" are at most 64 bits. You could test that int is at most 64 bits (with <stdint.h> and <limits.h>) then use snprintf (not sprintf which is unsafe and deprecated) on a large enough buffer (32 bytes is more than enough for 2⁶⁴ in decimal).

See Posix spec on limits.h which define WORD_BIT so

#if WORD_BIT > 64
#error cannot compile on this machine
#endif

char buf[32];
snprintf(buf, sizeof(buf), "%d", a);

BTW, <stdint.h> defines several types. You might want intmax_t