The function snprintf appears to behave in a manner that is both
unexpected and undocumented.
For one thing, the documentation suggests that you can determine the
space required for the generated output by calling snprintf(NULL, 0,
…); this will definitely NOT work! A terminating zero is always
stored.
For another thing, the documentation doesn’t mention that calling
snprintf(p, 0, …) results in a zero being stored at p-1. That can be
handy if you know about it, or very nasty if you don’t.
And finally, although the documentation is clear on this point, it might
be a good idea to include a warning about the use of snprintf() to build
up a message a piece at a time. A fairly common idiom is typified by
this code fragment taken from the netsdk:
len += snprintf(&buf[len], RECSIZE - 1 - len, …);
Without a separate test to compare len with RECSIZE, this code does NOT
provide the buffer overflow protection that the its author probably
intended. After the call that truncates output, len will be left larger
than RECSIZE, and “RECSIZE - 1 - len” will be a very large (unsigned)
number; the next call will generate unlimited output somewhere beyond
the buffer.
Murf