SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 50

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 51

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The formatted IO functions fprintf(), printf(), sprintf(), snprintf(), vfprintf(), vprintf(), vsprintf(), and vsnprintf() convert, format, and print their arguments under control of a format string. Section 7.21.6.1 of the C standard [ISO/IEC 9899:2011], states:

The format shall be a multibyte character sequence, beginning and ending in its initial shift state. The format is composed of zero or more directives: ordinary multibyte characters (not %), which are copied unchanged to the output stream; and conversion specifications, each of which results in fetching zero or more subsequent arguments, converting them, if applicable, according to the corresponding conversion specifier, and then writing the result to the output stream.

Each conversion specification is introduced by the % character followed (in order) by

  • Zero zero or more flags (in any order), which modify the meaning of the conversion specification
  • An an optional minimum field width
  • An an optional precision that gives the minimum number of digits to appear for certain conversion specifiers
  • An an optional length modifier that specifies the size of the argument
  • A a conversion specifier character that indicates the type of conversion to be applied

...

  • SPACE—the space (' ') character
  • N/E—No Effecteffect
  • NTBS—char* argument pointing to a null-terminated byte string
  • NTWS—wchar_t* argument pointing to a null-terminated wide-character string
  • XSI—ISO/IEC 9945-2003 XSI extension

...

The width and precision arguments to printf() format directives must be of type int. Section 7.21.6.1 of the C standard [ISO/IEC 9899:2011], states:

A field width, or precision, or both, may be indicated by an asterisk ('*'). In this case, an argument of type int supplies the field width or precision.

...

CERT C++ Secure Coding Standard: FIO00-CPP. Take care when creating format strings

ISO/IEC 9899:2011 Section  Section 7.21.6.1, "The fprintf function"

...

MITRE CWE: CWE-686, "Function Call With Incorrect Argument Typecall with incorrect argument type"

Bibliography

...