...
A number of existing libraries are available for managing string data; the library selected depends on the approach adopted for managing null-terminated byte strings. The functions defined by the C Standard, Section 7.24, are primarily intended for managing statically allocated strings. However, these functions are problematic because many of them are insufficiently bounded. Consequently, this standard recommends using the ISO/IEC TR 24731-1 C11 Annex K [ISO/IEC TR 24731-1:20079899:2011] functions with statically allocated arrays. (See STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code.) These functions provide bounds-checking interfaces to protect against buffer overflows and other runtime constraint violations.
ISO/IEC TR 24731 -2 Part II offers another approach, supplying functions that allocate enough memory for their results [ISO/IEC TR 24731-2]. It provides an API that dynamically allocates the results of string functions as needed. Almost all of the APIs in this technical report are also in a current International Standard. For example, TR 24731 -2 Part II includes POSIX functions, such as strdup() [ISO/IEC 9945:2003], as well as functions from the Linux Standard Base Core Specification such as asprintf() [ISO/IEC 23360-1:2006].
...
| CERT C++ Secure Coding Standard | STR01-CPP. Adopt and implement a consistent plan for managing strings |
| ISO/IEC TR 24731-1:20079899:2011 | Annex K |
| ISO/IEC TR 24731-2:2010 | |
| MISRA C:2012 | Directive 4.12 (required) |
...