Why is strcpy regarded as an error in VS2012 express?

Question

When I use strcpy in VS2012 express, the compiler reports

error C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instread. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.

I can fix this issue by adding _CRT_SECURE_NO_WARNINGS, but why does VS2012 become so paranoid?

Answer 1

strcpy isn't safe (can cause buffer overflow) ... simply use strcpy_s (wcscpy_s).

Answer 2

Thanks for your comments. But it's developers' responsibility to guarantee strcpy is safe. Considering the usage of strcpy is an compiler error is an overact and break legacy code miserably.

Answer 3

C4999 is a warning. Because it is a particularly dangerous one, it is recommended that it be treated as an error and you are likely running with a compiler flag which enforces that.

VS2012 is trying to help developers write good code by defaulting to calling out potentially dangerous code. As the message you quote mentions, if the developer has confirmed that legacy code's use of strcpy is safe then the warning can be disabled; that said, it is probably easier to replace strcpy with strcpy_s than it is to confirm that the usage is actually correct. It is very easy to make dangerous mistakes with strcpy.

I suggest you read Avoiding Buffer Overruns. You might also search for "strcpy buffer overrun" to find a number of other articles discussing the problem with strcpy.

--Rob