The formatted output functions (fprintf() and related functions) convert, format, and print their arguments under control of a format string. The C Standard, 7.2123.6.1, paragraph 3 [ISO/IEC 9899:20112024], specifies
The format shall be a multibyte character sequence, beginning and ending in its initial shift state. The format is composed of zero or more directives: ordinary multibyte characters (not %), which are copied unchanged to the output stream; and conversion specifications, each of which results in fetching zero or more subsequent arguments, converting them, if applicable, according to the corresponding conversion specifier, and then writing the result to the output stream.
...
- Zero or more flags (in any order), which modify the meaning of the conversion specification
- An optional minimum field width
- An optional precision that gives the minimum number of digits, the maximum number of digits to appear for certain conversion specifiers, or the maximum number of bytes, etc. depending on the conversion specifier
- An optional length modifier that specifies the size of the argument
- A conversion specifier character that indicates the type of conversion to be applied
...
Conversion |
|
|
|
|
|
|
|
|
|
|
|
| Argument |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
| Signed integer |
|
|
|
|
|
|
|
|
|
|
|
|
| Unsigned integer |
|
|
|
|
|
|
|
|
|
|
|
|
| Unsigned integer |
|
|
|
|
|
|
|
|
|
|
|
|
| Unsigned integer |
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| NTWS |
|
|
|
|
| NTBS or NTWS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Pointer to integer |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| NTWS |
|
|
|
|
|
|
|
|
|
|
|
|
| None |
SPACE: The space (" ") character
N/E: No effect
NTBS: char* argument pointing to a null-terminated character string
NTWS: wchar_t* argument pointing to a null-terminated wide character string
XSI: ISO/IEC 9945-2003 XSI extension
...
Tool | Version | Checker | Description | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Axivion Bauhaus Suite |
| CertC-FIO47 | Fully implemented | |||||||||||||
| CodeSonar |
| IO.INJ.FMT | Format string injection | |||||||||||||
| Coverity |
| PW | Reports when the number of arguments differs from the number of required arguments according to the format string | |||||||||||||
| GCC |
| Can detect violations of this recommendation when the | ||||||||||||||
| Helix QAC |
| C0161, C0162, C0163, C0164, C0165, C0166, C0167, C0168, C0169, C0170, C0171, C0172, C0173, C0174, C0175, C0176, C0177, C0178, C0179, C0180, C0184, C0185, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0202, C0204, C0206, C0209 C++3150, C++3151, C++3152, C++3153, C++3154, C++3155, C++3156, C++3157, C++3158, C++3159 | ||||||||||||||
| Klocwork |
| SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD | ||||||||||||||
| LDRA tool suite |
| 486 S | Fully implemented | |||||||||||||
| Parasoft C/C++test |
| CERT_C-FIO47-a | There should be no mismatch between the '%s' or and '%c' tag from format specifiers in the format string and its their corresponding argument in 'printf' function invocationarguments in the invocation of a string formatting function | Polypsace Bug Finder | ||||||||||||
| Include Page | Polyspace Bug Finder_V | Polyspace Bug Finder_V | Format string specifiers and arguments mismatch | String specifiers do not match corresponding arguments | arguments in the invocation of a string formatting function should be equal | |||||||||||
| PC-lint Plus |
| 492, 493, 494, 499, 557, | Fully supported | |||||||||||||
| Polyspace Bug Finder |
| CERT C: Rule FIO47-C | Check for format string specifiers and arguments mismatch (rule fully covered) | PRQA QA-C | ||||||||||||
| Include Page | PRQA QA-C_v | PRQA QA-C_v | 0161, 0162, 0163, 0164, 0165, 0166, 0167, 0168, 0169, 0170, 0171, 0172, 0173, 0174, 0175, 0176, 0177, 0178, 0179 (U), 0180 (C99), 0184 (U), 0185 (U) | Partially implemented|||||||||||||
| PVS-Studio |
| V510, V576 | ||||||||||||||
| TrustInSoft Analyzer |
| match format and arguments | Exhaustively verified (see the compliant and the non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
Bibliography
| [ISO/IEC 9899:20112024] | Subclause 7.2123.6.1, "The fprintf Function" |
...