Warn on sprintf use.

doc/obsolete-stuff

@@ -218,6 +218,18 @@ particular problem.
 
 Sortix currently provides this function for compatibility reasons.
 
+sprintf
+-------
+
+The sprintf function is dangerous as it can be hard to predict the length of the
+output string safely. A mistake can easily end in security vulnerabilities and
+undefined behavior. Use the snprintf function instead as it knows the size of
+the destination buffer and safely truncates in the error case. Such truncation
+can be detected by the cacller. Use the asprintf function or another approach
+if determinining the output length is hard.
+
+Sortix currently provides this function for compatibility reasons.
+
 strings.h
 ---------
 

libc/include/stdio.h

@@ -166,6 +166,9 @@ int rename(const char* oldname, const char* newname);
 void rewind(FILE* stream);
 void setbuf(FILE* __restrict stream, char* __restrict buf);
 int setvbuf(FILE* __restrict stream, char* __restrict buf, int type, size_t size);
+#if !defined(__is_sortix_libc) /* not a warning inside libc */
+__attribute__((__warning__("sprintf() is dangerous, use snprintf()")))
+#endif
 int sprintf(char* __restrict s, const char* __restrict format, ...)
 	__attribute__((__format__ (printf, 2, 3)));
 int scanf(const char* __restrict format, ...)
@@ -178,6 +181,9 @@ int vfprintf(FILE* __restrict stream, const char* __restrict format, __gnuc_va_l
 	__attribute__((__format__ (printf, 2, 0)));
 int vprintf(const char* __restrict format, __gnuc_va_list ap)
 	__attribute__((__format__ (printf, 1, 0)));
+#if !defined(__is_sortix_libc) /* not a warning inside libc */
+__attribute__((__warning__("vsprintf() is dangerous, use vsnprintf()")))
+#endif
 int vsprintf(char* __restrict s, const char* __restrict format, __gnuc_va_list ap)
 	__attribute__((__format__ (printf, 2, 0)));