The formatted output functions (fprintf() and related functions) convert, format, and print their arguments under control of a format string. The C Standard, 7.2123.6.1, paragraph 3 [ISO/IEC 9899:20112024], specifies
The format shall be a multibyte character sequence, beginning and ending in its initial shift state. The format is composed of zero or more directives: ordinary multibyte characters (not %), which are copied unchanged to the output stream; and conversion specifications, each of which results in fetching zero or more subsequent arguments, converting them, if applicable, according to the corresponding conversion specifier, and then writing the result to the output stream.
...
- Zero or more flags (in any order), which modify the meaning of the conversion specification
- An optional minimum field width
- An optional precision that gives the minimum number of digits, the maximum number of digits to appear for certain conversion specifiers, or the maximum number of bytes, etc. depending on the conversion specifier
- An optional length modifier that specifies the size of the argument
- A conversion specifier character that indicates the type of conversion to be applied
...
Valid and meaningful combinations are marked by the 
symbol (save for the length modifier columns, as described previously). Valid combinations that have no effect are labeled N/E. Using a combination marked by the 
symbol, using a specification not represented in the table, or using an argument of an unexpected type is undefined behavior. (See undefined behaviors 153, 155, 157, 158, 161, and 162.)
Conversion |
|
|
|
|
|
|
|
|
|
|
|
| Argument |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
| Signed integer |
|
|
|
|
|
|
|
|
|
|
|
|
| Unsigned integer |
|
|
|
|
|
|
|
|
|
|
|
|
| Unsigned integer |
|
|
|
|
|
|
|
|
|
|
|
|
| Unsigned integer |
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
| N/E | N/E |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| NTWS |
|
|
|
|
| NTBS or NTWS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Pointer to integer | ||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| NTWS |
|
|
|
|
|
|
|
|
|
|
|
|
| None |
SPACE: The space (" ") character
N/E: No effect
NTBS: char* argument pointing to a null-terminated character string
NTWS: wchar_t* argument pointing to a null-terminated wide character string
XSI: ISO/IEC 9945-2003 XSI extension
...
Incorrectly specified format strings can result in memory corruption or abnormal program termination.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO47-C | High | Unlikely | Medium | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Axivion Bauhaus Suite |
| CertC-FIO47 | Fully implemented | ||||||
| CodeSonar |
| IO.INJ.FMT | Format string injection | ||||||
| Coverity |
| PW | Reports when the number of arguments differs from the number of required arguments according to the format string | ||||||
| GCC |
|
Can detect violations of this recommendation when the | |||||||||
| Helix QAC |
| C0161, C0162, C0163, C0164, C0165, C0166, C0167, C0168, C0169, C0170, C0171, C0172, C0173, C0174, C0175, C0176, C0177, C0178, C0179, C0180, C0184, C0185, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0202, C0204, C0206, C0209 C++3150, C++3151, C++3152, C++3153, C++3154, C++3155, C++3156, C++3157, C++3158, C++3159 | |||||||
| Klocwork |
| SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD |
| LDRA tool suite |
| 486 S | Fully implemented | ||||||
| Parasoft C/C++test |
0161, 0162, 0163, 0164, 0165, 0166, 0167, 0168, 0169,
0170, 0171, 0172, 0173, 0174, 0175, 0176, 0177, 0178, 0179 (U),
0180 (C99), 0184 (U), 0185 (U)
0190 (U), 0191 (U), 0192 (U), 0193 (U), 0194 (U)
0195 (U), 0196 (U), 0197 (U), 0198 (U), 0199 (U)
0200 (U), 0201 (U), 0202 (I), 0204, 0206 (U)
| CERT_C-FIO47-a | There should be no mismatch between the '%s' and '%c' format specifiers in the format string and their corresponding arguments in the invocation of a string formatting function | |||||||
| PC-lint Plus |
| 492, 493, 494, 499, 557, | Fully supported | ||||||
| Polyspace Bug Finder |
| CERT C: Rule FIO47-C | Check for format string specifiers and arguments mismatch (rule fully covered) | ||||||
| PVS-Studio |
| V510, V576 | |||||||
| TrustInSoft Analyzer |
| match format and arguments | Exhaustively verified (see the compliant and the non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C | FIO00-CPP. Take care when creating format strings | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961:2013 | Using invalid format strings [invfmtstr] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-686, Function Call with Incorrect Argument Type | 2017-06-29: CERT: Partial overlap |
| CWE 2.11 | CWE-685 | 2017-06-29: CERT: Partial overlap |
CERT-CWE Mapping Notes
Key here for mapping notes
...
- Using a trusted but invalid format string
Bibliography
...
...