.\" Copyright (c) 1999 Andries Brouwer (aeb@cwi.nl)
.\"
+.\" Earlier versions of this page influenced the present text.
+.\" It was derived from a Berkeley page with version
+.\" @(#)printf.3 6.14 (Berkeley) 7/30/91
+.\" converted for Linux by faith@cs.unc.edu, updated by
+.\" Helmut.Geyer@iwr.uni-heidelberg.de, agulbra@troll.no and Bruno Haible.
+.\"
+.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
.\" This is free documentation; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as
.\" published by the Free Software Foundation; either version 2 of
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public
-.\" License along with this manual; if not, write to the Free
-.\" Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111,
-.\" USA.
-.\"
-.\"
-.\" Earlier versions of this page influenced the present text.
-.\" It was derived from a Berkeley page with version
-.\" @(#)printf.3 6.14 (Berkeley) 7/30/91
-.\" converted for Linux by faith@cs.unc.edu, updated by
-.\" Helmut.Geyer@iwr.uni-heidelberg.de, agulbra@troll.no and Bruno Haible.
+.\" License along with this manual; if not, see
+.\" <http://www.gnu.org/licenses/>.
+.\" %%%LICENSE_END
.\"
.\" 1999-11-25 aeb - Rewritten, using SUSv2 and C99.
.\" 2000-07-26 jsm28@hermes.cam.ac.uk - three small fixes
.\" 2000-10-16 jsm28@hermes.cam.ac.uk - more fixes
.\"
-.TH PRINTF 3 2007-11-26 "GNU" "Linux Programmer's Manual"
+.TH PRINTF 3 2017-09-15 "GNU" "Linux Programmer's Manual"
.SH NAME
-printf, fprintf, sprintf, snprintf, vprintf, vfprintf, vsprintf, vsnprintf \- formatted output conversion
+printf, fprintf, dprintf, sprintf, snprintf, vprintf, vfprintf, vdprintf,
+vsprintf, vsnprintf \- formatted output conversion
.SH SYNOPSIS
+.nf
.B #include <stdio.h>
-.sp
+.PP
.BI "int printf(const char *" format ", ...);"
-.br
.BI "int fprintf(FILE *" stream ", const char *" format ", ...);"
-.br
+.BI "int dprintf(int " fd ", const char *" format ", ...);"
.BI "int sprintf(char *" str ", const char *" format ", ...);"
-.br
.BI "int snprintf(char *" str ", size_t " size ", const char *" format ", ...);"
-.sp
+
.B #include <stdarg.h>
-.sp
+.PP
.BI "int vprintf(const char *" format ", va_list " ap );
-.br
.BI "int vfprintf(FILE *" stream ", const char *" format ", va_list " ap );
-.br
+.BI "int vdprintf(int " fd ", const char *" format ", va_list " ap );
.BI "int vsprintf(char *" str ", const char *" format ", va_list " ap );
-.br
-.BI "int vsnprintf(char *" str ", size_t " size ", const char *" format ", va_list " ap );
-.sp
+.BI "int vsnprintf(char *" str ", size_t " size ", const char *" format \
+", va_list " ap );
+.fi
+.PP
.in -4n
Feature Test Macro Requirements for glibc (see
.BR feature_test_macros (7)):
.in
-.sp
+.PP
.ad l
.BR snprintf (),
.BR vsnprintf ():
-_BSD_SOURCE || _XOPEN_SOURCE\ >=\ 500 || _ISOC99_SOURCE; or
-.I "cc -std=c99"
-.ad b
+.RS 4
+_XOPEN_SOURCE\ >=\ 500 || _ISOC99_SOURCE ||
+ || /* Glibc versions <= 2.19: */ _BSD_SOURCE
+.RE
+.PP
+.BR dprintf (),
+.BR vdprintf ():
+.PD 0
+.RS 4
+.TP 4
+Since glibc 2.10:
+_POSIX_C_SOURCE\ >=\ 200809L
+.TP
+Before glibc 2.10:
+_GNU_SOURCE
+.RE
+.ad
+.PD
.SH DESCRIPTION
The functions in the
.BR printf ()
and
.BR vsnprintf ()
write to the character string
-.IR str .
+.IR str .
+.PP
+The function
+.BR dprintf ()
+is the same as
+.BR fprintf ()
+except that it outputs to a file descriptor,
+.IR fd ,
+instead of to a
+.I stdio
+stream.
.PP
The functions
.BR snprintf ()
.BR vsnprintf ()
write at most
.I size
-bytes (including the trailing null byte (\(aq\e0\(aq)) to
+bytes (including the terminating null byte (\(aq\e0\(aq)) to
.IR str .
.PP
The functions
.BR vprintf (),
.BR vfprintf (),
+.BR vdprintf (),
.BR vsprintf (),
.BR vsnprintf ()
are equivalent to the functions
.BR printf (),
.BR fprintf (),
+.BR dprintf (),
.BR sprintf (),
.BR snprintf (),
respectively, except that they are called with a
See
.BR stdarg (3).
.PP
-These eight functions write the output under the control of a
+All of these functions write the output under the control of a
.I format
string that specifies how subsequent arguments (or arguments accessed via
the variable-length argument facilities of
.BR stdarg (3))
are converted for output.
-.SS "Return value"
-Upon successful return, these functions return the number of characters
-printed (not including the trailing \(aq\e0\(aq used to end output to strings).
-
-The functions
-.BR snprintf ()
-and
+.PP
+C99 and POSIX.1-2001 specify that the results are undefined if a call to
+.BR sprintf (),
+.BR snprintf (),
+.BR vsprintf (),
+or
.BR vsnprintf ()
-do not write more than
-.I size
-bytes (including the trailing \(aq\e0\(aq).
-If the output was truncated due to this limit then the return value
-is the number of characters (not including the trailing \(aq\e0\(aq)
-which would have been written to the final string if enough space
-had been available.
-Thus, a return value of
-.I size
-or more means that the output was truncated.
-(See also below under NOTES.)
-
-If an output error is encountered, a negative value is returned.
-.SS "Format of the format string"
+would cause copying to take place between objects that overlap
+(e.g., if the target string array and one of the supplied input arguments
+refer to the same buffer).
+See NOTES.
+.SS Format of the format string
The format string is a character string, beginning and ending
in its initial shift state, if any.
The format string is composed of zero or more directives: ordinary
.I precision
and an optional
.IR "length modifier" .
-
+.PP
The arguments must correspond properly (after type promotion) with the
conversion specifier.
By default, the arguments are used in the order
-given, where each \(aq*\(aq and each conversion specifier asks for the next
+given, where each \(aq*\(aq (see
+.I "Field width"
+and
+.I Precision
+below) and each conversion specifier asks for the next
argument (and it is an error if insufficiently many arguments are given).
One can also specify explicitly which argument is taken,
at each place where an argument is required, by writing "%m$" instead
-of \(aq%\(aq and "*m$" instead of \(aq*\(aq, where the decimal integer m denotes
+of \(aq%\(aq and "*m$" instead of \(aq*\(aq,
+where the decimal integer \fIm\fP denotes
the position in the argument list of the desired argument, indexed starting
from 1.
Thus,
+.PP
.in +4n
-.nf
-
+.EX
printf("%*d", width, num);
-
-.fi
+.EE
.in
+.PP
and
+.PP
.in +4n
-.nf
-
+.EX
printf("%2$*1$d", width, num);
-
-.fi
+.EE
.in
+.PP
are equivalent.
The second style allows repeated references to the
same argument.
The C99 standard does not include the style using \(aq$\(aq,
-which comes from the Single Unix Specification.
+which comes from the Single UNIX Specification.
If the style using
\(aq$\(aq is used, it must be used throughout for all conversions taking an
argument and all width and precision arguments, but it may be mixed
-with "%%" formats which do not consume an argument.
+with "%%" formats, which do not consume an argument.
There may be no
gaps in the numbers of arguments specified using \(aq$\(aq; for example, if
arguments 1 and 3 are specified, argument 2 must also be specified
somewhere in the format string.
-
+.PP
For some numeric conversions a radix character ("decimal point") or
thousands' grouping character is used.
The actual character used
depends on the
.B LC_NUMERIC
part of the locale.
+(See
+.BR setlocale (3).)
The POSIX locale
uses \(aq.\(aq as radix character, and does not have a grouping character.
Thus,
+.PP
.in +4n
-.nf
-
+.EX
printf("%\(aq.2f", 1234567.89);
-
-.fi
+.EE
.in
+.PP
results in "1234567.89" in the POSIX locale, in "1234567,89" in the
nl_NL locale, and in "1.234.567,89" in the da_DK locale.
-.SS "The flag characters"
+.SS Flag characters
The character % is followed by zero or more of the following flags:
.TP
.B #
.B x
and
.B X
-conversions, a non-zero result has the string "0x" (or "0X" for
+conversions, a nonzero result has the string "0x" (or "0X" for
.B X
conversions) prepended to it.
For
.B \-
The converted value is to be left adjusted on the field boundary.
(The default is right justification.)
-Except for
-.B n
-conversions, the converted value is padded on the right with blanks, rather
+The converted value is padded on the right with blanks, rather
than on the left with blanks or zeros.
A
.B \-
.B +
A sign (+ or \-) should always be placed before a number produced by a signed
conversion.
-By default a sign is used only for negative numbers.
+By default, a sign is used only for negative numbers.
A
.B +
overrides a space if both are used.
.PP
-The five flag characters above are defined in the C standard.
-The SUSv2 specifies one further flag character.
+The five flag characters above are defined in the C99 standard.
+The Single UNIX Specification specifies one further flag character.
.TP
.B \(aq
For decimal conversion
.BR G )
the output is to be grouped with thousands' grouping characters
if the locale information indicates any.
+(See
+.BR setlocale (3).)
Note that many versions of
.BR gcc (1)
cannot parse this option and will issue a warning.
-SUSv2 does not
-include \fI%\(aqF\fP.
+(SUSv2 did not
+include \fI%\(aqF\fP, but SUSv3 added it.)
.PP
glibc 2.2 adds one further flag character.
.TP
For example, since glibc 2.2.3 this will give Arabic-Indic digits
in the Persian ("fa_IR") locale.
.\" outdigits keyword in locale file
-.SS "The field width"
-An optional decimal digit string (with non-zero first digit) specifying
+.SS Field width
+An optional decimal digit string (with nonzero first digit) specifying
a minimum field width.
If the converted value has fewer characters
than the field width, it will be padded with spaces on the left
In no case does a nonexistent or small field width cause truncation of a
field; if the result of a conversion is wider than the field width, the
field is expanded to contain the conversion result.
-.SS "The precision"
+.SS Precision
An optional precision, in the form of a period (\(aq.\(aq) followed by an
optional decimal digit string.
Instead of a decimal digit string one may write "*" or "*m$"
-(for some decimal integer m) to specify that the precision
-is given in the next argument, or in the m-th argument, respectively,
+(for some decimal integer \fIm\fP) to specify that the precision
+is given in the next argument, or in the \fIm\fP-th argument, respectively,
which must be of type
.IR int .
-If the precision is given as just \(aq.\(aq, or the precision is negative,
-the precision is taken to be zero.
+If the precision is given as just \(aq.\(aq, the precision is taken to
+be zero.
+A negative precision is taken as if the precision were omitted.
This gives the minimum number of digits to appear for
.BR d ,
.BR i ,
and
.B S
conversions.
-.SS "The length modifier"
+.SS Length modifier
Here, "integer conversion" stands for
.BR d ,
.BR i ,
.I long long int
argument.
.TP
+.B q
+A synonym for
+.BR ll .
+This is a nonstandard extension, derived from BSD;
+avoid its use in new code.
+.TP
.B L
A following
.BR a ,
argument.
(C99 allows %LF, but SUSv2 does not.)
.TP
-.B q
-("quad". 4.4BSD and Linux libc5 only.
-Don't use.)
-This is a synonym for
-.BR ll .
-.TP
.B j
A following integer conversion corresponds to an
.I intmax_t
or
.I uintmax_t
+argument, or a following
+.B n
+conversion corresponds to a pointer to an
+.I intmax_t
argument.
.TP
.B z
.I size_t
or
.I ssize_t
+argument, or a following
+.B n
+conversion corresponds to a pointer to a
+.I size_t
argument.
-(Linux libc5 has
+.TP
.B Z
-with this meaning.
-Don't use it.)
+A nonstandard synonym for
+.BR z
+that predates the appearance of
+.BR z .
+Do not use in new code.
.TP
.B t
A following integer conversion corresponds to a
.I ptrdiff_t
+argument, or a following
+.B n
+conversion corresponds to a pointer to a
+.I ptrdiff_t
argument.
.PP
-The SUSv2 only knows about the length modifiers
+SUSv3 specifies all of the above,
+except for those modifiers explicitly noted as being nonstandard extensions.
+SUSv2 specified only the length modifiers
.B h
(in
.BR hd ,
.BR Lf ,
.BR Lg ,
.BR LG ).
-.SS "The conversion specifier"
+.PP
+As a nonstandard extension, the GNU implementations treats
+.B ll
+and
+.B L
+as synonyms, so that one can, for example, write
+.BR llg
+(as a synonym for the standards-compliant
+.RB Lg )
+and
+.BR Ld
+(as a synonym for the standards compliant
+.BR lld ).
+Such usage is nonportable.
+.\"
+.SS Conversion specifiers
A character that specifies the type of conversion to be applied.
The conversion specifiers and their meanings are:
.TP
-.BR d , i
+.BR d ", " i
The
.I int
argument is converted to signed decimal notation.
The default precision is 1.
When 0 is printed with an explicit precision 0, the output is empty.
.TP
-.BR o , u , x , X
+.BR o ", " u ", " x ", " X
The
.I "unsigned int"
argument is converted to unsigned octal
The default precision is 1.
When 0 is printed with an explicit precision 0, the output is empty.
.TP
-.BR e , E
+.BR e ", " E
The
.I double
argument is rounded and converted in the style
-.if \w'\*(Pm'=0 .ds Pm \(+-
-.RB [\-]d \&. ddd e \\*(Pmdd
+.RB [\-]d \&. ddd e \(+-dd
where there is one digit before the decimal-point character and the number
of digits after it is equal to the precision; if the precision is missing,
it is taken as 6; if the precision is zero, no decimal-point character
The exponent always contains at least two
digits; if the value is zero, the exponent is 00.
.TP
-.BR f , F
+.BR f ", " F
The
.I double
argument is rounded and converted to decimal notation in the style
If the precision is missing, it is taken as
6; if the precision is explicitly zero, no decimal-point character appears.
If a decimal point appears, at least one digit appears before it.
-
-(The SUSv2 does not know about
+.IP
+(SUSv2 does not know about
.B F
and says that character string representations for infinity and NaN
may be made available.
+SUSv3 adds a specification for
+.BR F .
The C99 standard specifies "[\-]inf" or "[\-]infinity"
for infinity, and a string starting with "nan" for NaN, in the case of
.B f
-conversion, and "[\-]INF" or "[\-]INFINITY" or "NAN*" in the case of
+conversion, and "[\-]INF" or "[\-]INFINITY" or "NAN" in the case of
.B F
conversion.)
.TP
-.BR g , G
+.BR g ", " G
The
.I double
argument is converted in style
fractional part of the result; a decimal point appears only if it is
followed by at least one digit.
.TP
-.BR a , A
-(C99; not in SUSv2) For
+.BR a ", " A
+(C99; not in SUSv2, but added in SUSv3)
+For
.B a
conversion, the
.I double
argument is converted to hexadecimal notation (using the letters abcdef)
in the style
-.RB [\-] 0x h \&. hhhh p \\*(Pmd;
+.RB [\-] 0x h \&. hhhh p \(+-;
for
.B A
conversion the prefix
if an exact representation in base 2 exists
and otherwise is sufficiently large to distinguish values of type
.IR double .
-The digit before the decimal point is unspecified for non-normalized
-numbers, and non-zero but otherwise unspecified for normalized numbers.
+The digit before the decimal point is unspecified for nonnormalized
+numbers, and nonzero but otherwise unspecified for normalized numbers.
.TP
.B c
If no
.B s
If no
.B l
-modifier is present: The
-.I "const char *"
+modifier is present: the
+.I "const char\ *"
argument is expected to be a pointer to an array of character type (pointer
to a string).
Characters from the array are written up to (but not
If a precision is given, no null byte need be present;
if the precision is not specified, or is greater than the size of the
array, the array must contain a terminating null byte.
-
+.IP
If an
.B l
-modifier is present: The
-.I "const wchar_t *"
+modifier is present: the
+.I "const wchar_t\ *"
argument is expected to be a pointer to an array of wide characters.
Wide characters from the array are converted to multibyte characters
(each by a call to the
exceeds it before the end of the array is reached.
.TP
.B C
-(Not in C99, but in SUSv2.)
+(Not in C99 or C11, but in SUSv2, SUSv3, and SUSv4.)
Synonym for
.BR lc .
Don't use.
.TP
.B S
-(Not in C99, but in SUSv2.)
+(Not in C99 or C11, but in SUSv2, SUSv3, and SUSv4.)
Synonym for
.BR ls .
Don't use.
.TP
.B p
The
-.I "void *"
+.I "void\ *"
pointer argument is printed in hexadecimal (as if by
.B %#x
or
-.BR %#lx ).
+.BR %#lx ).
.TP
.B n
The number of characters written so far is stored into the integer
-indicated by the
-.I "int *"
-(or variant) pointer argument.
+pointed to by the corresponding argument.
+That argument shall be an
+.IR "int\ *" ,
+or variant whose size matches the (optionally)
+supplied integer length modifier.
No argument is converted.
+(This specifier is not supported by the bionic C library.)
+The behavior is undefined if the conversion specification includes
+any flags, a field width, or a precision.
.TP
.B m
-(Glibc extension.)
+(Glibc extension; supported by uClibc and musl.)
Print output of
.IR strerror(errno) .
No argument is required.
No argument is converted.
The complete conversion
specification is \(aq%%\(aq.
-.SH "CONFORMING TO"
-The
+.SH RETURN VALUE
+Upon successful return, these functions return the number of characters
+printed (excluding the null byte used to end output to strings).
+.PP
+The functions
+.BR snprintf ()
+and
+.BR vsnprintf ()
+do not write more than
+.I size
+bytes (including the terminating null byte (\(aq\e0\(aq)).
+If the output was truncated due to this limit, then the return value
+is the number of characters (excluding the terminating null byte)
+which would have been written to the final string if enough space
+had been available.
+Thus, a return value of
+.I size
+or more means that the output was truncated.
+(See also below under NOTES.)
+.PP
+If an output error is encountered, a negative value is returned.
+.SH ATTRIBUTES
+For an explanation of the terms used in this section, see
+.BR attributes (7).
+.TS
+allbox;
+lbw23 lb lb
+l l l.
+Interface Attribute Value
+T{
+.BR printf (),
+.BR fprintf (),
+.br
+.BR sprintf (),
+.BR snprintf (),
+.br
+.BR vprintf (),
+.BR vfprintf (),
+.br
+.BR vsprintf (),
+.BR vsnprintf ()
+T} Thread safety MT-Safe locale
+.TE
+.sp 1
+.SH CONFORMING TO
.BR fprintf (),
.BR printf (),
.BR sprintf (),
.BR vprintf (),
.BR vfprintf (),
-and
-.BR vsprintf ()
-functions conform to C89 and C99.
+.BR vsprintf ():
+POSIX.1-2001, POSIX.1-2008, C89, C99.
+.PP
+.BR snprintf (),
+.BR vsnprintf ():
+POSIX.1-2001, POSIX.1-2008, C99.
+.PP
The
-.BR snprintf ()
+.BR dprintf ()
and
-.BR vsnprintf ()
-functions conform to C99.
+.BR vdprintf ()
+functions were originally GNU extensions that were later standardized
+in POSIX.1-2008.
.PP
Concerning the return value of
.BR snprintf (),
to be NULL in this case, and gives the return value (as always)
as the number of characters that would have been written in case
the output string has been large enough.
+POSIX.1-2001 and later align their specification of
+.BR snprintf ()
+with C99.
+.\" .PP
+.\" Linux libc4 knows about the five C standard flags.
+.\" It knows about the length modifiers \fBh\fP, \fBl\fP, \fBL\fP,
+.\" and the conversions
+.\" \fBc\fP, \fBd\fP, \fBe\fP, \fBE\fP, \fBf\fP, \fBF\fP,
+.\" \fBg\fP, \fBG\fP, \fBi\fP, \fBn\fP, \fBo\fP, \fBp\fP,
+.\" \fBs\fP, \fBu\fP, \fBx\fP, and \fBX\fP,
+.\" where \fBF\fP is a synonym for \fBf\fP.
+.\" Additionally, it accepts \fBD\fP, \fBO\fP, and \fBU\fP as synonyms
+.\" for \fBld\fP, \fBlo\fP, and \fBlu\fP.
+.\" (This is bad, and caused serious bugs later, when
+.\" support for \fB%D\fP disappeared.)
+.\" No locale-dependent radix character,
+.\" no thousands' separator, no NaN or infinity, no "%m$" and "*m$".
+.\" .PP
+.\" Linux libc5 knows about the five C standard flags and the \(aq flag,
+.\" locale, "%m$" and "*m$".
+.\" It knows about the length modifiers \fBh\fP, \fBl\fP, \fBL\fP,
+.\" \fBZ\fP, and \fBq\fP, but accepts \fBL\fP and \fBq\fP
+.\" both for \fIlong double\fP and for \fIlong long int\fP (this is a bug).
+.\" It no longer recognizes \fBF\fP, \fBD\fP, \fBO\fP, and \fBU\fP,
+.\" but adds the conversion character
+.\" .BR m ,
+.\" which outputs
+.\" .IR strerror(errno) .
+.\" .PP
+.\" glibc 2.0 adds conversion characters \fBC\fP and \fBS\fP.
.PP
-Linux libc4 knows about the five C standard flags.
-It knows about the length modifiers h,l,L, and the conversions
-cdeEfFgGinopsuxX, where F is a synonym for f.
-Additionally, it accepts D,O,U as synonyms for ld,lo,lu.
-(This is bad, and caused serious bugs later, when
-support for %D disappeared.)
-No locale-dependent radix character,
-no thousands' separator, no NaN or infinity, no %m$ and *m$.
+glibc 2.1 adds length modifiers \fBhh\fP, \fBj\fP, \fBt\fP, and \fBz\fP
+and conversion characters \fBa\fP and \fBA\fP.
.PP
-Linux libc5 knows about the five C standard flags and the \(aq flag,
-locale, %m$ and *m$.
-It knows about the length modifiers h,l,L,Z,q, but accepts L and q
-both for \fIlong double\fP and for \fIlong long int\fP (this is a bug).
-It no longer recognizes FDOU, but adds the conversion character
-.BR m ,
-which outputs
-.IR strerror(errno) .
+glibc 2.2 adds the conversion character \fBF\fP with C99 semantics,
+and the flag character \fBI\fP.
+.SH NOTES
+Some programs imprudently rely on code such as the following
.PP
-glibc 2.0 adds conversion characters C and S.
+ sprintf(buf, "%s some further text", buf);
.PP
-glibc 2.1 adds length modifiers hh,j,t,z and conversion characters a,A.
+to append text to
+.IR buf .
+However, the standards explicitly note that the results are undefined
+if source and destination buffers overlap when calling
+.BR sprintf (),
+.BR snprintf (),
+.BR vsprintf (),
+and
+.BR vsnprintf ().
+.\" http://sourceware.org/bugzilla/show_bug.cgi?id=7075
+Depending on the version of
+.BR gcc (1)
+used, and the compiler options employed, calls such as the above will
+.B not
+produce the expected results.
.PP
-glibc 2.2 adds the conversion character F with C99 semantics, and the
-flag character I.
-.SH NOTES
The glibc implementation of the functions
.BR snprintf ()
and
.BR vsnprintf ()
conforms to the C99 standard, that is, behaves as described above,
since glibc version 2.1.
-Until glibc 2.0.6 they would return \-1
+Until glibc 2.0.6, they would return \-1
when the output was truncated.
.\" .SH HISTORY
-.\" Unix V7 defines the three routines
+.\" UNIX V7 defines the three routines
.\" .BR printf (),
.\" .BR fprintf (),
.\" .BR sprintf (),
.BR asprintf (3)
and
.BR vasprintf (3)).
-.PP
-Linux libc4.[45] does not have a
-.BR snprintf (),
-but provides a libbsd that contains an
-.BR snprintf ()
-equivalent to
-.BR sprintf (),
-that is, one that ignores the
-.I size
-argument.
-Thus, the use of
-.BR snprintf ()
-with early libc4 leads to serious security problems.
+.\" .PP
+.\" Linux libc4.[45] does not have a
+.\" .BR snprintf (),
+.\" but provides a libbsd that contains an
+.\" .BR snprintf ()
+.\" equivalent to
+.\" .BR sprintf (),
+.\" that is, one that ignores the
+.\" .I size
+.\" argument.
+.\" Thus, the use of
+.\" .BR snprintf ()
+.\" with early libc4 leads to serious security problems.
.PP
Code such as
.BI printf( foo );
may contain a % character.
If
.I foo
-comes from untrusted user input, it may contain %n, causing the
+comes from untrusted user input, it may contain \fB%n\fP, causing the
.BR printf ()
call to write to memory and creating a security hole.
.\" .PP
-.\" Some floating point conversions under early libc4
+.\" Some floating-point conversions under early libc4
.\" caused memory leaks.
.SH EXAMPLE
-.if \w'\*(Pi'=0 .ds Pi pi
-To print \*(Pi to five decimal places:
+To print
+.I Pi
+to five decimal places:
+.PP
.in +4n
-.nf
-
+.EX
#include <math.h>
#include <stdio.h>
fprintf(stdout, "pi = %.5f\en", 4 * atan(1.0));
-.fi
+.EE
.in
.PP
To print a date and time in the form "Sunday, July 3, 10:02",
and
.I month
are pointers to strings:
+.PP
.in +4n
-.nf
-
+.EX
#include <stdio.h>
fprintf(stdout, "%s, %s %d, %.2d:%.2d\en",
weekday, month, day, hour, min);
-.fi
+.EE
.in
.PP
Many countries use the day-month-year order.
Hence, an internationalized version must be able to print
the arguments in an order specified by the format:
+.PP
.in +4n
-.nf
-
+.EX
#include <stdio.h>
fprintf(stdout, format,
weekday, month, day, hour, min);
-
-.fi
+.EE
.in
+.PP
where
.I format
depends on locale, and may permute the arguments.
With the value:
+.PP
.in +4n
-.nf
-
+.EX
"%1$s, %3$d. %2$s, %4$d:%5$.2d\en"
-
-.fi
+.EE
.in
+.PP
one might obtain "Sonntag, 3. Juli, 10:02".
.PP
To allocate a sufficiently large string and print into it
(code correct for both glibc 2.0 and glibc 2.1):
-.nf
-
+.PP
+.EX
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
char *
make_message(const char *fmt, ...)
{
- /* Guess we need no more than 100 bytes. */
- int n, size = 100;
- char *p, *np;
+ int size = 0;
+ char *p = NULL;
va_list ap;
- if ((p = malloc(size)) == NULL)
+ /* Determine required size */
+
+ va_start(ap, fmt);
+ size = vsnprintf(p, size, fmt, ap);
+ va_end(ap);
+
+ if (size < 0)
+ return NULL;
+
+ size++; /* For '\\0' */
+ p = malloc(size);
+ if (p == NULL)
return NULL;
- while (1) {
- /* Try to print in the allocated space. */
- va_start(ap, fmt);
- n = vsnprintf(p, size, fmt, ap);
- va_end(ap);
- /* If that worked, return the string. */
- if (n > \-1 && n < size)
- return p;
- /* Else try again with more space. */
- if (n > \-1) /* glibc 2.1 */
- size = n+1; /* precisely what is needed */
- else /* glibc 2.0 */
- size *= 2; /* twice the old size */
- if ((np = realloc (p, size)) == NULL) {
- free(p);
- return NULL;
- } else {
- p = np;
- }
+ va_start(ap, fmt);
+ size = vsnprintf(p, size, fmt, ap);
+ va_end(ap);
+
+ if (size < 0) {
+ free(p);
+ return NULL;
}
+
+ return p;
}
-.fi
-.SH "SEE ALSO"
+.EE
+.PP
+If truncation occurs in glibc versions prior to 2.0.6, this is treated as an
+error instead of being handled gracefully.
+.SH SEE ALSO
.BR printf (1),
.BR asprintf (3),
-.BR dprintf (3),
+.BR puts (3),
.BR scanf (3),
.BR setlocale (3),
+.BR strfromd (3),
.BR wcrtomb (3),
.BR wprintf (3),
.BR locale (5)