...
Statically allocated strings assumes a fixed size character array, meaning that it is impossible to add data after the buffer is filled. Because the static approach discards excess data, actual program data can be lost. Consequently, the resulting string must be fully validated.
...
| Wiki Markup |
|---|
There are a number of existing libraries available for managing string data; the library selected depends on the approach adopted for managing null-terminated byte strings. The functions defined by C99 Section 7.21, "String handling <string.h>" \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] are primarily intended for managing statically allocated strings. However, these functions are problematic because many of the functionsthem are insufficiently bounded. Consequently, this standard recommends use of the ISO/IEC TR 24731-1 \[[ISO/IEC TR 24731-1-2007|AA. C References#ISO/IEC TR 24731-1-2007]\] functions for use with statically allocated arrays (see [STR07-A. Use TR 24731 for remediation of existing string manipulation code]). These functions provide bounds-checking interfaces to protect against buffer overflows and other runtime constraint violations. |
...