...
The formatted IO functions fprintf(), printf(), sprintf(), snprintf(), vfprintf(), vprintf(), vsprintf(), and vsnprintf() convert, format, and print their arguments under control of a format string. According to Section 7.21.6.1 of the C standard [ISO/IEC 9899:19992011], states:
The format is shall be a multibyte character stringsequence, beginning and ending in its initial shift state, if any. The format is composed of zero or more directives: ordinary multibyte characters (not %), which are simply copied unchanged to the output stream, ; and conversion specifications, each of which shall result results in the fetching of zero or more subsequent arguments, converting them, if applicable, according to the corresponding conversion specifier, and then writing the result to the output stream.
Each conversion specification is introduced by the '%' character followed by the following (in order): by
- Zero or more flags (in any order), which modify the meaning of the conversion specification.
- An optional minimum field width.
- An optional precision that gives the minimum number of digits to appear for certain conversion specifiers.
- An optional length modifier that specifies the size of the argument.
- A conversion specifier character that indicates the type of conversion to be applied.
Common mistakes in creating format strings include
...
The following table summarizes C99C-compliant conversion specifiers along with the flag characters characters valid for each specification (the apostrophe ('), -, +, the space character, and # in columns 2 , through 5) and length modifiers (h, hh, l, ll, j, z, t, and L in columns 6 through 13) valid for each specification, and the type of the expected argument. Valid and meaningful combinations of a conversion specification, flag character, and length modifier is denoted by the 
symbol in the corresponding cell or by the name of the type argument effected affected by the length modifier. Valid combinations that have no effect are denoted by N/E. Using a combination of a conversion specification, flag character, and length modifier denoted by the 
symbol or a specification not listed in the table, or using an argument of an unexpected type, may result in undefined behavior. See undefined behavior 145behaviors 153, 149 157, 150 158, 153 161, and 154 162 in Annex J of C99C11.
Conversion |
|
|
|
|
|
|
|
|
|
|
|
|
| Argument |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
| signed integer |
|
|
|
|
|
|
|
|
|
|
|
|
|
| unsigned integer |
|
|
|
|
|
|
|
|
|
|
|
|
|
| unsigned integer |
|
|
|
|
|
|
|
|
|
|
|
|
|
| unsigned integer |
|
|
|
|
|
|
|
|
|
|
|
|
|
| unsigned integer |
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| NTWS |
|
|
|
|
| NTBS or NTWS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| pointer to integer |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| NTWS |
|
|
|
|
|
|
|
|
|
|
|
|
|
| none |
Legend:
- SPACE---the SPACE—the space (
' ') character - N/E---No —No Effect
- NTBS---NTBS—
char*argument pointing to a Null-Terminated Byte StringNTWSnull-terminated byte string - NTWS—---
wchar_t*argument pointing to a Null-Terminated Wide character Stringnull-terminated wide-character string - XSI—XSI---ISO/IEC 9945-2003 XSI extension
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %s): %d\n", error_type, error_msg);
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %d): %s\n", error_type, error_msg);
|
...
The width and precision arguments to printf() format directives must be of type int. According to C99. Section 7.21.6.1 of the C standard [ISO/IEC 9899:2011], states:
A field width, or precision, or both, may be indicated by an asterisk ('*'). In this case, an argument of type
intsupplies the field width or precision.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int print_int(int i, size_t width, size_t prec) {
int n;
n = printf("%*.*d", width, prec, i);
return n;
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int print_int(int i, int width, int prec) {
int n;
n = printf("%*.*d", width, prec, i);
return n;
}
|
...
Tool | Version | Checker | Description | section|||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| | Section | 486 S | Fully Implementedimplemented. | |||||||||
| Section | GCC |
|
| | Section | Can detect violations of this recommendation when the | |||||||
| Section | |
| SV.FMT_STR. |
|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
CERT C++ Secure Coding Standard: FIO00-CPP. Take care when creating format strings
ISO/IEC 9899:19992011 Section 7.1921.6.1, "The fprintf function"
ISO/IEC TR 17961 (Draft) Using invalid format strings [invfmtstr]
MITRE CWE: CWE-686, "Function Call With Incorrect Argument Type"
...