vsnprintf and snprintf

I have checked in the file, but I thought I should also explicitly point 
out that I have made a change in the configure.in file which affects 
gcc's flags.  Specifically, vsnprintf and snprintf were not part of the 
1989 ANSI C standard.  They came later in the ISO 99 standard, so gcc 
does not "find" these functions if we use the -ansi compile switch.  I 
have modified configure.in (which generates configure, which generates 
the Makefile) to change -ansi to -std=c99 to allow us to use these safer 
 functions and avoid vulnerability to the kind of buffer overflow 
exploits pointed out to us recently.

Also, one other small thing.  I have made the functions safer by using 
sprintf instead of snprintf, but there is still some remaining work to 
be done regarding the corrected calls.  snprintf returns the length of 
the string that *would* have been printed if the buffer had been long 
enough and not the actual length.  In nasm's code, the return value is 
simply ignored in all places except for disasm.c, where it is used to 
keep the running length of the string.  The way it's used there, we 
*still* have a possibility of a buffer overrun, but a smaller one, so I 
have left it as is for now and inserted a comment in the code with a 
TODO marker.

Ed



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/