ref: 79699357c1b4dfe8db47eb43f15b7d03c9bc820f
parent: 1990930eb1cae6e60296ba6c85a946b063624f48
author: Simon Howard <fraggle@gmail.com>
date: Sat Mar 29 18:07:27 EDT 2014
HACKING: Add note about unsafe C functions. Add a section to the HACKING file listing unsafe C library functions that should not be used.
--- a/HACKING
+++ b/HACKING
@@ -6,10 +6,10 @@
style of the original source code. This maintains consistency throughout
the program, and does not require the original code to be changed. Some
of these guidelines are stricter than what was done in the original
-source; follow these when writing new code only: there is no need to
+source; follow these when writing new code only: there is no need to
change existing code to fit them.
-You should set tabs to _display_ as eight spaces, not four. However,
+You should set tabs to _display_ as eight spaces, not four. However,
_indentation_ should be four spaces. If possible, do not use tab
characters at all. There is a utility called "expand" which will remove
tab characters. For the reasoning behind this, see:
@@ -16,12 +16,12 @@
http://www.jwz.org/doc/tabs-vs-spaces.html
Please write code to an 80 column limit so that it fits within a standard
-80 column terminal.
+80 column terminal. Do not leave trailing whitespace at the end of lines.
-Functions should be named like this: 'AB_FunctionName'. The 'AB' prefix
+Functions should be named like this: 'AB_FunctionName'. The 'AB' prefix
denotes the subsystem (AM_ for automap, G_ for game, etc). If a
function is static, you can omit the prefix and just name it like
-'FunctionName'. Functions and global variables should always be made
+'FunctionName'. Functions and global variables should always be made
static if possible.
Put '_t' on the end of types created with typedef. Type names like this
@@ -37,7 +37,7 @@
I don't care that this isn't standard ANSI C.
Variables should be named like this: 'my_variable_name', not like this:
-'MyVariableName'. In pointer variable declarations, place the '*' next
+'MyVariableName'. In pointer variable declarations, place the '*' next
to the variable name, not the type.
When using an if, do, while, or for statement, always use the { } braces
@@ -61,7 +61,7 @@
char *member2;
} my_structure_t;
-void FunctionName(int argument, int arg2, int arg3, int arg4, int arg5,
+void FunctionName(int argument, int arg2, int arg3, int arg4, int arg5,
int arg6, int arg7)
{
if (condition)
@@ -72,7 +72,7 @@
{
body;
}
- else
+ else
{
body;
}
@@ -88,11 +88,11 @@
case FIRST:
code;
break;
-
+
case SECOND:
code;
break;
-
+
default:
break;
}
@@ -107,12 +107,43 @@
loop_body;
}
- do
+ do
{
} while (condition);
}
+Security
+========
+
+The C standard library has a number of unsafe functions that should be
+avoided when writing code for Chocolate Doom. These are:
+
+ Unsafe function Safer alternative
+ ---------------------------------------------
+ gets() fgets(.., stdin)
+ sprintf snprintf()
+ strcpy() M_StringCopy()
+ strncpy() M_StringCopy()
+ strcat() M_StringConcat()
+ strncat() M_StringConcat()
+
+Lots of the code includes calls to DEH_String() to simulate string
+replacement by the Dehacked tool. Be careful when using Dehacked
+replacements of printf format strings. For example, do not do this:
+
+ printf(DEH_String("foo %s"), s);
+ sprintf(mybuf, DEH_String("bar %s"), t);
+
+Instead do this:
+
+ DEH_printf("foo %s", s);
+ DEH_snprintf(mybuf, sizeof(mybuf), "bar %s", t);
+
+This does the format string replacement safely in a way that checks
+the arguments securely.
+
+
Portability
===========
@@ -119,7 +150,7 @@
Chocolate Doom is designed to be cross-platform and work on different
Operating Systems and processors. Bear this in mind when writing code.
-Do not use the long type (its size differs across platforms; use
+Do not use the long type (its size differs across platforms; use
int or int64_t depending on which you want).
Use Doom's byte data type for byte data. 'int' is assumed to be a
@@ -126,7 +157,7 @@
32-bit integer, and 'short' is a 16-bit integer. You can also use the
ISO C99 data types: intN_t and uintN_t where N is 8,16,32,64.
-Be careful with platform dependencies: do not use Windows API
+Be careful with platform dependencies: do not use Windows API
functions, for example. Use SDL where possible.
Preprocessor #defines are set that can be used to identify the OS
@@ -134,9 +165,9 @@
are set through SDL. Try to avoid this if possible.
Be careful of endianness! Doom has SHORT() and LONG() macros that
-do endianness conversion. Never assume that integer types have a
-particular byte ordering. Similarly, never assume that fields
-inside a structure are aligned in a particular way. This is most
+do endianness conversion. Never assume that integer types have a
+particular byte ordering. Similarly, never assume that fields
+inside a structure are aligned in a particular way. This is most
relevant when reading or writing data to a file or a network pipe.
For signed integers, you shouldn't assume that (i >> n) is the same as
@@ -148,7 +179,7 @@
=====================
All code submitted to the project must be licensed under the GNU GPL or a
-compatible license. If you use code that you haven't 100% written
+compatible license. If you use code that you haven't 100% written
yourself, say so. Add a copyright header to the start of every file. Use
this template: