OS_File,255 and its brethren load a file – usually into a supplied buffer (they can be used to get FileSwitch to work out how to load the file, but we’ll say no more about that, it’s not affected).

The problem with this call, which dates back to the BBC Micro, is that there’s no buffer length. The usual programmer’s pattern is to find the file length with OS_File,5; allocate a buffer; then load it with OS_File,255. This was just about defensible on a stand-alone Archimedes, but in a networked or multi-user environment (such as an emulated RISC OS under a real operating system) the file can change length between the two OS_File calls.

This is bad. It leads to crashes, data loss, and even remote code execution. Very bad. But it’s a familiar pattern, and certainly one I’ve used many times.

SaferOsFile adds a new flag to OS_File,255, 12, 14 and 16 – bit 30 of R3. If set (and bits 0-7 are clear) then R5 becomes the expected file length – i.e. the length of the buffer you are loading the file into. If the file is not exactly that length, you get a Buffer Overflow error, and no memory corruption. Much better! You can use this API even if the module isn’t present, because FileSwitch itself ignores that bit and R5 (but you’ll get no protection in that case, naturally).