The formatted output functions (fprintf() and related functions) convert, format, and print their arguments under control of a format string, defined as follows by the . The C Standard, subclause 7.2123.6.1, paragraph 3 [ISO/IEC 9899:20112024]:, specifies
The format shall be a multibyte character sequence, beginning and ending in its initial shift state. The format is composed of zero or more directives: ordinary multibyte characters (not %), which are copied unchanged to the output stream; and conversion specifications, each of which results in fetching zero or more subsequent arguments, converting them, if applicable, according to the corresponding conversion specifier, and then writing the result to the output stream.
...
- Zero or more flags (in any order), which modify the meaning of the conversion specification
- An optional minimum field width
- An optional precision that gives the minimum number of digits to appear for certain conversion specifiers, the maximum number of digits, or the maximum number of bytes, etc. depending on the conversion specifier
- An optional length modifier that specifies the size of the argument
- A conversion specifier character that indicates the type of conversion to be applied
Common mistakes in creating format strings include
- Providing insufficient an incorrect number of arguments for the format string
- Using invalid conversion specifiers
- Using a flag character that is incompatible with the conversion specifier
- Using a length modifier that is incompatible with the conversion specifier
- Mismatching the argument type and conversion specifier
- Using an argument of type other than
intfor width or precision
The following table summarizes the compliance of various conversion specifications. The first column contains a one or more conversion specifier character (or characters). The next four columns consider the combination of the specifier character(s) characters with the various flags (the apostrophe ['], -, +, the space character, #, and # 0). The next eight columns consider the combination of the specifier character(s) characters with the various length modifiers (h, hh, l, ll, j, z, t, and L). Here, valid
Valid combinations are marked with a type name; arguments matched with the conversion specification will be are interpreted as that type. For example, an argument matched with the specifier %hd will be is interpreted as a short, so short appears in the cell where d and h intersect. The last column denotes the expected type types of arguments matched with the original specifier characters.
Valid character(s). Throughout the table, valid and meaningful combinations are marked by the 
symbol (save for the length modifier columns, as described abovepreviously). Valid combinations that have no effect are labeled N/E. Using a combination marked by the 
symbol, using a specification not represented in the table, or using an argument of an unexpected type may result in is undefined behavior. (See undefined behaviors 153, 155, 157, 158, 161, and 162 in Annex J of the C Standard.)
Conversion |
|
|
|
|
|---|
|
|
|
|
|
|
|
| Argument | |
|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
| Signed integer |
|
|
|
|
|
|
|
|
|
|
|
|
| Unsigned integer |
|
|
|
|
|
|
|
|
|
|
|
|
| Unsigned integer | |
|
|
|
|
|
|
|
|
|
|
|
|
| Unsigned integer | |
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
| |
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
| |
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| NTWS |
|
|
|
|
| NTBS or NTWS | |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| Pointer to integer | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| NTWS |
|
|
|
|
|
|
|
|
|
|
|
|
| None |
Legend SPACE:
...
The space (" ") character
N/E
...
: No effect
...
NTBS: char* argument pointing to a null-terminated
...
character string
...
NTWS: wchar_t* argument pointing to a null-terminated wide character string
...
XSI: ISO/IEC 9945-2003 XSI extension
The format formatted input functions (fscanf() and related functions) use similarly - specified format strings and impose similar restrictions on their format strings and arguments.
Do not supply an unknown or invalid conversion specification or an invalid combination of flag character, precision, length modifier, or conversion specifier ; to a formatted IO function. Likewise, do not provide a number or type of arguments argument that do does not match the conversion specifiers argument type of the conversion specifier used in the format string.
Format strings are usually string literals specified at the call site, but they need not be. However, they should not contain tainted values. (See FIO30-C. Exclude user input from format strings for more information.)
Noncompliant Code Example
Mismatches between arguments and conversion specifications may result in undefined behavior. Many compilers can Compilers may diagnose type mismatches in formatted output function invocations. In the following this noncompliant code example, the error_type argument to printf() is incorrectly matched with the %s s specifier , rather than with the %d specifierthe d specifier. Likewise, the the error_msg argument is incorrectly matched with the %d d specifier instead of the %s specifier. the s specifier. These usages result in undefined behavior. One possible result of this invocation is that printf() will interpret the error_type argument as a pointer , and try to read a string from the address that error_type contains. This is likely to result , possibly resulting in an access violation.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> void func(void) { const char *error_msg = "Resource not available to user."; int error_type = 3; /* ... */ printf("Error (type %s): %d\n", error_type, error_msg); /* ... */ } |
Compliant Solution
This compliant solution ensures that the format arguments to the printf() function match their respective format conversion specifications:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> void func(void) { const char *error_msg = "Resource not available to user."; int error_type = 3; /* ... */ printf("Error (type %d): %s\n", error_type, error_msg); /* ... */ } |
Risk Assessment
In most cases, incorrectly Incorrectly specified format strings will can result in memory corruption or abnormal program termination. However, in some cases they can be used to corrupt memory in manners controllable by an attacker.
Rule |
|---|
Severity | Likelihood | Remediation Cost | Priority | Level | |
|---|---|---|---|---|---|
FIO47-C | High | Unlikely | Medium | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Axivion Bauhaus Suite |
| CertC-FIO47 | Fully implemented | ||||||
| CodeSonar |
| IO.INJ.FMT | Format string injection | ||||||
| Coverity |
| PW | Reports when the number of arguments differs from the number of required arguments according to the format string | ||||||
| GCC |
|
Can detect violations of this recommendation when the | |||||||||
| Helix QAC |
| C0161, C0162, C0163, C0164, C0165, C0166, C0167, C0168, C0169, C0170, C0171, C0172, C0173, C0174, C0175, C0176, C0177, C0178, C0179, C0180, C0184, C0185, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0202, C0204, C0206, C0209 C++3150, C++3151, C++3152, C++3153, C++3154, C++3155, C++3156, C++3157, C++3158, C++3159 | |||||||
| Klocwork |
| SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD |
.SCAN_PARAMS_WRONGNUM.MANY | |||||||||
| LDRA tool suite |
| 486 S | Fully implemented |
0179 (U)
0180 (C99)
0184 (U)
0185 (U)
0190 (U)
0191 (U)
0192 (U)
0193 (U)
0194 (U)
0195 (U)
0196 (U)
0197 (U)
0198 (U)
0199 (U)
0200 (U)
0201 (U)
0202 (I)
0206 (U)
| Parasoft C/C++test |
| CERT_C-FIO47-a | There should be no mismatch between the '%s' and '%c' format specifiers in the format string and their corresponding arguments in the invocation of a string formatting function | ||||||
| PC-lint Plus |
| 492, 493, 494, 499, 557, | Fully supported | ||||||
| Polyspace Bug Finder |
| CERT C: Rule FIO47-C | Check for format string specifiers and arguments mismatch (rule fully covered) | ||||||
| PVS-Studio |
| V510, V576 | |||||||
| TrustInSoft Analyzer |
| match format and arguments | Exhaustively verified (see the compliant and the non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C |
| FIO00-CPP. Take care when creating format strings | Prior to 2018-01-12: CERT: Unspecified Relationship | |
| ISO/IEC TS 17961:2013 | Using invalid format strings [invfmtstr] |
| Prior to 2018-01-12: CERT: Unspecified Relationship | |
| CWE 2.11 | CWE-686, Function |
| Call with Incorrect Argument Type | 2017-06-29: CERT: Partial overlap | |
| CWE 2.11 | CWE-685 | 2017-06-29: CERT: Partial overlap |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-686 and FIO47-C
Intersection( EXP37-C, FIO47-C) =
- Invalid argument types passed to format I/O function
EXP37-C – FIO47-C =
- Invalid argument types passed to non-format I/O function
FIO47-C – EXP37-C =
- Invalid format string, but correctly matches arguments in number and type
Intersection( CWE-686, FIO47-C) =
- Use of format strings that do not match the type of arguments
CWE-686 – FIO47-C =
- Incorrect argument type in functions outside of the printf() family.
FIO47-C – CWE-686 =
- Invalid format strings that still match their arguments in type
CWE-685 and FIO47-C
Intersection( CWE-685, FIO47-C) =
- Use of format strings that do not match the number of arguments
CWE-685 – FIO47-C =
- Incorrect argument number in functions outside of the printf() family.
FIO47-C – CWE-685 =
- Invalid format strings that still match their arguments in number
CWE-134 and FIO47-C
Intersection( FIO30-C, FIO47-C) =
- Use of untrusted and ill-specified format string
FIO30-C – FIO47-C =
- Use of untrusted, but well-defined format string
FIO47-C – FIO30-C =
- Use of Ill-defined, but trusted format string
FIO47-C = Union(CWE-134, list) where list =
- Using a trusted but invalid format string
Bibliography
...
...