[PATCH v3 01/10] shell32/autocomplete: Fix a vulnerability by avoiding the use of snprintf

[Huw Davies]

On Mon, Sep 10, 2018 at 02:48:02PM +0300, Gabriel Ivăncescu wrote:
> On Mon, Sep 10, 2018 at 11:05 AM, Huw Davies <huw at codeweavers.com> wrote:
> >
> > This inner loop to process %% is ugly.  Just do the processing of %s in this block.
> > If you want to make sure you only do it once then set a flag.
> >
> Alright, I honestly think it's ok since it's a short block, but I'll
> count the number of args then, I think it's a better approach than a
> flag (even though in this case it's the same thing since only one %s
> arg is allowed).

It took me significantly longer to figure out what was going on than
it should have done.  What you should be trying to do is to keep the
code as simple as possible so that the reviewer doesn't have to figure
these things out.

A count instead of a flag will be fine if prefer that.

Huw.