Secure C Library

From RAD Studio
Jump to: navigation, search

Go Up to C Run-Time Library Reference

The foremost reason why Secure C Library came into existence was the need for bounds checking for string handling functions in the C Library. There are many functions in the C Library that expect the caller to supply string parameters long enough to hold the result of the operations. When a larger string is written "over" a smaller string, in fact data is written past the end, overwriting other program data. This can lead to "mysterious" failures, as the program has no means of knowing if or when something went wrong.

A typical solution was to try to use strings that were "big enough" but this could lead to two problems: either the result was a waste of space, or the user's "big enough" was not big enough in practice. In addition, buffer overflows can be exploited in order to run harmful code, compromising the security of operating systems and networks.

For many C Run-time Library functions, the Secure C Library introduces extra parameters that are used for bounds checking of character arrays, and data is never written past the end of an array. Besides that, it introduces run-time constraints and the means for the user to set his own run-time violation handling functions. Doing so, the program can know when and where something goes wrong with a character array and can fix the error, or fail gracefully.

Note: The Secure C Library is not supported on OS X applications.

The style of programming that Secure C Library promotes leads to safer and less bug-filled code.


int main(){ 
    char corpName[10];
    printf ("Enter your corporation name:  ");
    printf ("Your corporation name is: %s", corpName);
    return 0;

If the client inputs a name greater than 9 characters, then stack and data corruption can occur. Changing gets(name); to gets_s(name,10) removes these problems, as no matter how many characters the user inputs, only the first 9 characters are stored in the corpName character array.


Input/output Routines

File access functions

Formatted input/output functions

Character input/output functions


Runtime-constraint handling

Communication with the environment

Searching and sorting utilities


Copying functions

Concatenation functions

Search functions

Miscellaneous functions


Time conversion functions