understanding the dangers of sprintf(…)

Question

OWASP says:

\"C library functions such as strcpy (), strcat (), sprintf () and vsprintf () operate on null terminated strings and perform no bou

Answer 1

Your 2 numbered conclusions are correct, but incomplete.

There is an additional risk:

char* format = 0;
char buf[128];
sprintf(buf, format, "hello");

Here, format is not NULL-terminated. sprintf() doesn't check that either.