...
As shown, care should be taken that the arguments passed to a format string function match up with the supplied format string.
Another common mistake is to use more format specifiers than supplied arguments. This results in undefined behavior, which could end up pulling extra values off the stack and unintentionally exposing data.
| Code Block | ||
|---|---|---|
| ||
char const *error_msg = "Error occurred";
/* ... */
printf("Error (%s): %s", error_msg);
|
Risk Assessment
Incorrectly using a variadic function can result in abnormal program termination or unintended information disclosure.
...