...
Do not supply an unknown or invalid conversion specification or an invalid combination of flag character, precision, length modifier, conversion specifier; to a formatted IO function. Likewise, do not provide a number or type of arguments that do not match the conversion specifiers in the format string.
Format strings are usually string literals specified at the call site, but they need not be. They should, however, not contain unsanitized data; see FIO30-C. Exclude user input from format strings for more information.
Noncompliant Code Example
...