...
Ensure that restrict-qualified source and destination pointers do not reference overlapping objects when invoking library functions. For example, the following table lists C standard library functions that copy memory from a source object referenced by a restrict-qualified pointer to a destination object that is also referenced by a restrict-qualified pointer:
| Standard C | Annex K | ||
|---|---|---|---|
strcpy() | strcpy_s() | ||
strncpy() | strncpy_s() | strcat() | |
strcat | _s() | ||
strncat() | strncat_s() | ||
memcpy() | memcpy | _s() | strtok_s() |
If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined. (See also undefined behavior 65.) The result of the functions is unknown, and data may be corrupted. As a result, these functions must never be passed pointers to overlapping objects. If data must be copied between objects that share common memory addresses, a copy function guaranteed to work on overlapping memory, such as memmove(), should be used.
...
Ensure that functions that accept a restrict-qualified pointer to a const-qualified type do not modify the object referenced by that pointer. Formatted input and output standard library functions frequently fit this description. The following table lists of some of the common functions for which the format argument is a restrict-qualified pointer to a const-qualified type.
| Standard C | Annex K | |
|---|---|---|
printf() | printf_s() | |
scanf() | scanf_s() | |
sprintf() | sprintf_s() | snprintf() |
snprintf | _s() |
For formatted output functions such as printf(), it is unlikely that a programmer would modify the format string. However, an attacker may attempt to do so if a program violates FIO30-C. Exclude user input from format strings and passes tainted values as part of the format string.
...