# Monday, May 18, 2009

I have pretty well always sucked in air through my teeth when I see calls to memcpy. So much of the time it's a marker of premature optimization and a developer who is sure "my code is faster than what the stupid compiler emits". Even when that's not what's going on, it's so darn vulnerable to things changing size over the decades. It just scares me. As result, there isn't much (or even any?) of it in my code, so I'm not directly affected to read that memcpy() is joining the ranks of the "you shouldn't use it" functions, along with strcpy etc.

I blogged about strcpy and some cousins being replaced with more secure versions five years ago. (I had not thought it was that long, but it turns out it was.) Now it's memcpy's turn. The Security Development Lifecycle blogs this, and shows you how to deprecate things yourself. It's probably no surprise to be told you should use memcpy_s instead. There's a scary list of security bugs that are apparently due to misuse of memcpy that memcpy_s would have caught, so if you are an memcpy user, change your ways!


Monday, May 18, 2009 3:33:06 PM (Eastern Daylight Time, UTC-04:00)  #