can the wcsncpy_s function result in a buffer overflow?

Question

I'm trying to understand how the wcsncpy_s function works and how it prevents against buffer overflows. First, according to MSDN, the arguments to this function mean the following:

strDest= Destination string.

numberOfElements= The size of the destination string.

strSource= Source string.

count= Number of characters to be copied, or _TRUNCATE.

Now consider this code:

wchar_t a[5];
wcsncpy_s(a, 10, L"ABCDEFGHIJKLMNOPQRSTUVWXYZ", 9);

printf("%d\r\n", sizeof(a));//10
printf("%d\r\n", wcslen(a));//9
wprintf(L"%s", a);//ABCDEFGHI

If I am making sense of all this, "a", which is supposed to hold at most 4 wide characters plus a null terminator, now holds 9 wide characters.

Now, the following code will cause my app to terminate abruptly due to a failed debug assertion (VS 2005 compiler):

wchar_t a[5];
wcsncpy_s(a, 10, L"ABCDEFGHIJKLMNOPQRSTUVWXYZ", 10);

printf("%d\r\n", sizeof(a));
printf("%d\r\n", wcslen(a));
wprintf(L"%s", a);

Can someone please explain the code above and also how wcsncpy_s is supposed to prevent against buffer overflows?

Answer 1

wcsncpy_s(a, 10, L"ABCDEFGHIJKLMNOPQRSTUVWXYZ", 9);

You are lying to the function. You tell it, "a has sufficient space to store 10 characters," when in fact it has only enough space to store five. The function trusts that you are providing it with valid information (how could it know that you aren't?)

Note that while you get a runtime error with the second code snippet, the first code snippet is equally wrong. Both write past the end of the array a.

That said: you are using the wrong overload of wcsncpy_s: when compiling C++ code, there is an additional wcsncpy_s overload that is a template that deduces the size of the target array. If you were to change the call to:

wcsncpy_s(a, L"ABCDEFGHIJKLMNOPQRSTUVWXYZ", 9);

The template will deduce that the array has five elements and automatically use that as the size. This works only when the target is an array; it does not work if the target is a pointer to the initial element in an array.

Ideally, if you are using C++, it is best to avoid C string manipulation altogether: use std::wstring or some other string type. If you do want to use these functions that work with C strings, at least use std::vector<wchar_t> or std::array<wchar_t, N> instead of raw arrays: it's much harder to screw up the code. For example,

std::array<wchar_t, 5> a;
wcsncpy_s(a.data(), a.size(), L"ABCDEFGHIJKLMNOPQRSTUVWXYZ", 9);

The code for std::vector<wchar_t> would be identical. Note that obtaining a pointer to the underlying array and obtaining the size of that array follow the same form, so it's both easy to write the code and easy to check that the code is correct (simple visual inspection of the invocation is all that is required).

Answer 2

In this line:

wcsncpy_s(a, 10, L"ABCDEFGHIJKLMNOPQRSTUVWXYZ", 9);

you're telling the function that there is room for 10 characters in a, when in fact there is only room for 5.