...
These functions are included only for compatibility with older implementations. They have undefined behavior if the resulting string would be too long, so the use of these functions should be discouraged. On implementations that do not detect output string length overflow, it is possible to overflow the output buffers in such a way as to cause applications to fail, or possible system security violations. Also, these functions do not support localized date and time formats. To avoid these problems, applications should use
strftime()to generate strings from broken-down times.
The C Standard, Annex K, also defines asctime_s(), which can be used as a secure substitute for asctime().
The The asctime() function appears in the list of obsolescent functions in MSC24-C. Do not use deprecated or obsolescent functions.
...
This call has the same effects as asctime() but also ensures that no more than maxsize characters are printed, preventing buffer overflow.
Compliant Solution (asctime_s())
The C Standard, Annex K, defines the asctime_s() function, which serves as a close replacement for the asctime() function but requires an additional argument that specifies the maximum size of the resulting time string:
...
| bgColor | #ccccff |
|---|---|
| lang | c |
...
.
...
Risk Assessment
On implementations that do not detect output-string-length overflow, it is possible to overflow the output buffers.
...