Every standard C integer parsing function (atol, strtol, strtoul, sscanf) has correctness or safety flaws; only std::from_chars in C++ works reliably.
Key Takeaways
atol() silently returns wrong values on overflow and trailing garbage; POSIX calls overflow behavior undefined, making it unsafe for untrusted input.
strtol() can be used correctly for signed types with careful errno and endptr checks, but requires boilerplate the manpage example omits.
strtoul() is unfixable: negative inputs wrap to large positives with no error, making it impossible to distinguish -1 from ULONG_MAX or valid large values.
sscanf() shares the same unsigned wrapping problem and cannot signal overflow for %lu, eliminating it as a safe alternative.
The workaround: use strtol() to reject negatives first, then call strtoul(); or use C++17 std::from_chars, which correctly rejects minus signs for unsigned types.
