vsprintf considered dangerous

[Bob Frankston]

One area that doesn't seem to be addressed in the ANSI standard is
the fact that C functions generally do not take lengths of output
buffers.  The result is that using the standard zero-terminated
string library functions can result in programs failing unexpectedly
on unusual input.

While it is easy to replace most string functions to avoid this,
vsprintf is much more difficult to replace.  It is also hard to
predict the required length for the buffer.  I feel very strongly
that there should be a new function that is like vsprintf but which
takes an output buffer length.  The standard should also say that the
implementation must not have any internal buffers that might get
overrun.  Of course, there should also be safe versions of the other
string functions, but that less critical.

Of course, the zero-termination is sacred so that a result that fills
the output buffer will be terminated by a zero byte within the
buffer.  For those not using zero-terminated strings there should be
corresponding "mem" functions.  In fact, a "mem" version of vsprintf
could be used by the "str" version and satisfy both needs.