https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104969
--- Comment #2 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> --- (In reply to Martin Liška from comment #0) > The original code is defective a bit as it wrongly assumes that > (char*)str + (2 * i) is at maximum 'len' big. It's actually len - (2 * i) > big. But it should be still valid code, am I right? It doesn't overflow in this case, but specifying a length larger than the actual buffer size is a standard violation. """ The snprintf() function shall be equivalent to sprintf(), with the addition of the n argument which states the size of the buffer referred to by s. If n is zero, nothing shall be written and s may be a null pointer. Otherwise, output bytes beyond the n-1st shall be discarded instead of being written to the array, and a null byte is written at the end of the bytes actually written into the array. """ https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html
