xref: /freebsd/lib/libc/stdio/printf.3 (revision 74fe6c29fb7eef3418d7919dcd41dc1a04a982a1)
1.\" Copyright (c) 1990, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" This code is derived from software contributed to Berkeley by
5.\" Chris Torek and the American National Standards Committee X3,
6.\" on Information Processing Systems.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\"    notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\"    notice, this list of conditions and the following disclaimer in the
15.\"    documentation and/or other materials provided with the distribution.
16.\" 3. Neither the name of the University nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\"     @(#)printf.3	8.1 (Berkeley) 6/4/93
33.\" $FreeBSD$
34.\"
35.Dd July 30, 2016
36.Dt PRINTF 3
37.Os
38.Sh NAME
39.Nm printf , fprintf , sprintf , snprintf , asprintf , dprintf ,
40.Nm vprintf , vfprintf, vsprintf , vsnprintf , vasprintf, vdprintf
41.Nd formatted output conversion
42.Sh LIBRARY
43.Lb libc
44.Sh SYNOPSIS
45.In stdio.h
46.Ft int
47.Fn printf "const char * restrict format" ...
48.Ft int
49.Fn fprintf "FILE * restrict stream" "const char * restrict format" ...
50.Ft int
51.Fn sprintf "char * restrict str" "const char * restrict format" ...
52.Ft int
53.Fn snprintf "char * restrict str" "size_t size" "const char * restrict format" ...
54.Ft int
55.Fn asprintf "char **ret" "const char *format" ...
56.Ft int
57.Fn dprintf "int fd" "const char * restrict format" ...
58.In stdarg.h
59.Ft int
60.Fn vprintf "const char * restrict format" "va_list ap"
61.Ft int
62.Fn vfprintf "FILE * restrict stream" "const char * restrict format" "va_list ap"
63.Ft int
64.Fn vsprintf "char * restrict str" "const char * restrict format" "va_list ap"
65.Ft int
66.Fn vsnprintf "char * restrict str" "size_t size" "const char * restrict format" "va_list ap"
67.Ft int
68.Fn vasprintf "char **ret" "const char *format" "va_list ap"
69.Ft int
70.Fn vdprintf "int fd" "const char * restrict format" "va_list ap"
71.Sh DESCRIPTION
72The
73.Fn printf
74family of functions produces output according to a
75.Fa format
76as described below.
77The
78.Fn printf
79and
80.Fn vprintf
81functions
82write output to
83.Dv stdout ,
84the standard output stream;
85.Fn fprintf
86and
87.Fn vfprintf
88write output to the given output
89.Fa stream ;
90.Fn dprintf
91and
92.Fn vdprintf
93write output to the given file descriptor;
94.Fn sprintf ,
95.Fn snprintf ,
96.Fn vsprintf ,
97and
98.Fn vsnprintf
99write to the character string
100.Fa str ;
101and
102.Fn asprintf
103and
104.Fn vasprintf
105dynamically allocate a new string with
106.Xr malloc 3 .
107.Pp
108These functions write the output under the control of a
109.Fa format
110string that specifies how subsequent arguments
111(or arguments accessed via the variable-length argument facilities of
112.Xr stdarg 3 )
113are converted for output.
114.Pp
115The
116.Fn asprintf
117and
118.Fn vasprintf
119functions
120set
121.Fa *ret
122to be a pointer to a buffer sufficiently large to hold the formatted string.
123This pointer should be passed to
124.Xr free 3
125to release the allocated storage when it is no longer needed.
126If sufficient space cannot be allocated,
127.Fn asprintf
128and
129.Fn vasprintf
130will return \-1 and set
131.Fa ret
132to be a
133.Dv NULL
134pointer.
135.Pp
136The
137.Fn snprintf
138and
139.Fn vsnprintf
140functions
141will write at most
142.Fa size Ns \-1
143of the characters printed into the output string
144(the
145.Fa size Ns 'th
146character then gets the terminating
147.Ql \e0 ) ;
148if the return value is greater than or equal to the
149.Fa size
150argument, the string was too short
151and some of the printed characters were discarded.
152The output is always null-terminated, unless
153.Fa size
154is 0.
155.Pp
156The
157.Fn sprintf
158and
159.Fn vsprintf
160functions
161effectively assume a
162.Fa size
163of
164.Dv INT_MAX + 1.
165.Pp
166The format string is composed of zero or more directives:
167ordinary
168.\" multibyte
169characters (not
170.Cm % ) ,
171which are copied unchanged to the output stream;
172and conversion specifications, each of which results
173in fetching zero or more subsequent arguments.
174Each conversion specification is introduced by
175the
176.Cm %
177character.
178The arguments must correspond properly (after type promotion)
179with the conversion specifier.
180After the
181.Cm % ,
182the following appear in sequence:
183.Bl -bullet
184.It
185An optional field, consisting of a decimal digit string followed by a
186.Cm $ ,
187specifying the next argument to access.
188If this field is not provided, the argument following the last
189argument accessed will be used.
190Arguments are numbered starting at
191.Cm 1 .
192If unaccessed arguments in the format string are interspersed with ones that
193are accessed the results will be indeterminate.
194.It
195Zero or more of the following flags:
196.Bl -tag -width ".So \  Sc (space)"
197.It Sq Cm #
198The value should be converted to an
199.Dq alternate form .
200For
201.Cm c , d , i , n , p , s ,
202and
203.Cm u
204conversions, this option has no effect.
205For
206.Cm o
207conversions, the precision of the number is increased to force the first
208character of the output string to a zero.
209For
210.Cm x
211and
212.Cm X
213conversions, a non-zero result has the string
214.Ql 0x
215(or
216.Ql 0X
217for
218.Cm X
219conversions) prepended to it.
220For
221.Cm a , A , e , E , f , F , g ,
222and
223.Cm G
224conversions, the result will always contain a decimal point, even if no
225digits follow it (normally, a decimal point appears in the results of
226those conversions only if a digit follows).
227For
228.Cm g
229and
230.Cm G
231conversions, trailing zeros are not removed from the result as they
232would otherwise be.
233.It So Cm 0 Sc (zero)
234Zero padding.
235For all conversions except
236.Cm n ,
237the converted value is padded on the left with zeros rather than blanks.
238If a precision is given with a numeric conversion
239.Cm ( d , i , o , u , i , x ,
240and
241.Cm X ) ,
242the
243.Cm 0
244flag is ignored.
245.It Sq Cm \-
246A negative field width flag;
247the converted value is to be left adjusted on the field boundary.
248Except for
249.Cm n
250conversions, the converted value is padded on the right with blanks,
251rather than on the left with blanks or zeros.
252A
253.Cm \-
254overrides a
255.Cm 0
256if both are given.
257.It So "\ " Sc (space)
258A blank should be left before a positive number
259produced by a signed conversion
260.Cm ( a , A , d , e , E , f , F , g , G ,
261or
262.Cm i ) .
263.It Sq Cm +
264A sign must always be placed before a
265number produced by a signed conversion.
266A
267.Cm +
268overrides a space if both are used.
269.It So "'" Sc (apostrophe)
270Decimal conversions
271.Cm ( d , u ,
272or
273.Cm i )
274or the integral portion of a floating point conversion
275.Cm ( f
276or
277.Cm F )
278should be grouped and separated by thousands using
279the non-monetary separator returned by
280.Xr localeconv 3 .
281.El
282.It
283An optional decimal digit string specifying a minimum field width.
284If the converted value has fewer characters than the field width, it will
285be padded with spaces on the left (or right, if the left-adjustment
286flag has been given) to fill out
287the field width.
288.It
289An optional precision, in the form of a period
290.Cm \&.
291followed by an
292optional digit string.
293If the digit string is omitted, the precision is taken as zero.
294This gives the minimum number of digits to appear for
295.Cm d , i , o , u , x ,
296and
297.Cm X
298conversions, the number of digits to appear after the decimal-point for
299.Cm a , A , e , E , f ,
300and
301.Cm F
302conversions, the maximum number of significant digits for
303.Cm g
304and
305.Cm G
306conversions, or the maximum number of characters to be printed from a
307string for
308.Cm s
309conversions.
310.It
311An optional length modifier, that specifies the size of the argument.
312The following length modifiers are valid for the
313.Cm d , i , n , o , u , x ,
314or
315.Cm X
316conversion:
317.Bl -column ".Cm q Em (deprecated)" ".Vt signed char" ".Vt unsigned long long" ".Vt long long *"
318.It Sy Modifier Ta Cm d , i Ta Cm o , u , x , X Ta Cm n
319.It Cm hh Ta Vt "signed char" Ta Vt "unsigned char" Ta Vt "signed char *"
320.It Cm h Ta Vt short Ta Vt "unsigned short" Ta Vt "short *"
321.It Cm l No (ell) Ta Vt long Ta Vt "unsigned long" Ta Vt "long *"
322.It Cm ll No (ell ell) Ta Vt "long long" Ta Vt "unsigned long long" Ta Vt "long long *"
323.It Cm j Ta Vt intmax_t Ta Vt uintmax_t Ta Vt "intmax_t *"
324.It Cm t Ta Vt ptrdiff_t Ta (see note) Ta Vt "ptrdiff_t *"
325.It Cm z Ta (see note) Ta Vt size_t Ta (see note)
326.It Cm q Em (deprecated) Ta Vt quad_t Ta Vt u_quad_t Ta Vt "quad_t *"
327.El
328.Pp
329Note:
330the
331.Cm t
332modifier, when applied to a
333.Cm o , u , x ,
334or
335.Cm X
336conversion, indicates that the argument is of an unsigned type
337equivalent in size to a
338.Vt ptrdiff_t .
339The
340.Cm z
341modifier, when applied to a
342.Cm d
343or
344.Cm i
345conversion, indicates that the argument is of a signed type equivalent in
346size to a
347.Vt size_t .
348Similarly, when applied to an
349.Cm n
350conversion, it indicates that the argument is a pointer to a signed type
351equivalent in size to a
352.Vt size_t .
353.Pp
354The following length modifier is valid for the
355.Cm a , A , e , E , f , F , g ,
356or
357.Cm G
358conversion:
359.Bl -column ".Sy Modifier" ".Cm a , A , e , E , f , F , g , G"
360.It Sy Modifier Ta Cm a , A , e , E , f , F , g , G
361.It Cm l No (ell) Ta Vt double
362(ignored, same behavior as without it)
363.It Cm L Ta Vt "long double"
364.El
365.Pp
366The following length modifier is valid for the
367.Cm c
368or
369.Cm s
370conversion:
371.Bl -column ".Sy Modifier" ".Vt wint_t" ".Vt wchar_t *"
372.It Sy Modifier Ta Cm c Ta Cm s
373.It Cm l No (ell) Ta Vt wint_t Ta Vt "wchar_t *"
374.El
375.It
376A character that specifies the type of conversion to be applied.
377.El
378.Pp
379A field width or precision, or both, may be indicated by
380an asterisk
381.Ql *
382or an asterisk followed by one or more decimal digits and a
383.Ql $
384instead of a
385digit string.
386In this case, an
387.Vt int
388argument supplies the field width or precision.
389A negative field width is treated as a left adjustment flag followed by a
390positive field width; a negative precision is treated as though it were
391missing.
392If a single format directive mixes positional
393.Pq Li nn$
394and non-positional arguments, the results are undefined.
395.Pp
396The conversion specifiers and their meanings are:
397.Bl -tag -width ".Cm diouxX"
398.It Cm diouxX
399The
400.Vt int
401(or appropriate variant) argument is converted to signed decimal
402.Cm ( d
403and
404.Cm i ) ,
405unsigned octal
406.Pq Cm o ,
407unsigned decimal
408.Pq Cm u ,
409or unsigned hexadecimal
410.Cm ( x
411and
412.Cm X )
413notation.
414The letters
415.Dq Li abcdef
416are used for
417.Cm x
418conversions; the letters
419.Dq Li ABCDEF
420are used for
421.Cm X
422conversions.
423The precision, if any, gives the minimum number of digits that must
424appear; if the converted value requires fewer digits, it is padded on
425the left with zeros.
426.It Cm DOU
427The
428.Vt "long int"
429argument is converted to signed decimal, unsigned octal, or unsigned
430decimal, as if the format had been
431.Cm ld , lo ,
432or
433.Cm lu
434respectively.
435These conversion characters are deprecated, and will eventually disappear.
436.It Cm eE
437The
438.Vt double
439argument is rounded and converted in the style
440.Sm off
441.Oo \- Oc Ar d Li \&. Ar ddd Li e \(+- Ar dd
442.Sm on
443where there is one digit before the
444decimal-point character
445and the number of digits after it is equal to the precision;
446if the precision is missing,
447it is taken as 6; if the precision is
448zero, no decimal-point character appears.
449An
450.Cm E
451conversion uses the letter
452.Ql E
453(rather than
454.Ql e )
455to introduce the exponent.
456The exponent always contains at least two digits; if the value is zero,
457the exponent is 00.
458.Pp
459For
460.Cm a , A , e , E , f , F , g ,
461and
462.Cm G
463conversions, positive and negative infinity are represented as
464.Li inf
465and
466.Li -inf
467respectively when using the lowercase conversion character, and
468.Li INF
469and
470.Li -INF
471respectively when using the uppercase conversion character.
472Similarly, NaN is represented as
473.Li nan
474when using the lowercase conversion, and
475.Li NAN
476when using the uppercase conversion.
477.It Cm fF
478The
479.Vt double
480argument is rounded and converted to decimal notation in the style
481.Sm off
482.Oo \- Oc Ar ddd Li \&. Ar ddd ,
483.Sm on
484where the number of digits after the decimal-point character
485is equal to the precision specification.
486If the precision is missing, it is taken as 6; if the precision is
487explicitly zero, no decimal-point character appears.
488If a decimal point appears, at least one digit appears before it.
489.It Cm gG
490The
491.Vt double
492argument is converted in style
493.Cm f
494or
495.Cm e
496(or
497.Cm F
498or
499.Cm E
500for
501.Cm G
502conversions).
503The precision specifies the number of significant digits.
504If the precision is missing, 6 digits are given; if the precision is zero,
505it is treated as 1.
506Style
507.Cm e
508is used if the exponent from its conversion is less than \-4 or greater than
509or equal to the precision.
510Trailing zeros are removed from the fractional part of the result; a
511decimal point appears only if it is followed by at least one digit.
512.It Cm aA
513The
514.Vt double
515argument is rounded and converted to hexadecimal notation in the style
516.Sm off
517.Oo \- Oc Li 0x Ar h Li \&. Ar hhhp Oo \(+- Oc Ar d ,
518.Sm on
519where the number of digits after the hexadecimal-point character
520is equal to the precision specification.
521If the precision is missing, it is taken as enough to represent
522the floating-point number exactly, and no rounding occurs.
523If the precision is zero, no hexadecimal-point character appears.
524The
525.Cm p
526is a literal character
527.Ql p ,
528and the exponent consists of a positive or negative sign
529followed by a decimal number representing an exponent of 2.
530The
531.Cm A
532conversion uses the prefix
533.Dq Li 0X
534(rather than
535.Dq Li 0x ) ,
536the letters
537.Dq Li ABCDEF
538(rather than
539.Dq Li abcdef )
540to represent the hex digits, and the letter
541.Ql P
542(rather than
543.Ql p )
544to separate the mantissa and exponent.
545.Pp
546Note that there may be multiple valid ways to represent floating-point
547numbers in this hexadecimal format.
548For example,
549.Li 0x1.92p+1 , 0x3.24p+0 , 0x6.48p-1 ,
550and
551.Li 0xc.9p-2
552are all equivalent.
553.Fx 8.0
554and later always prints finite non-zero numbers using
555.Ql 1
556as the digit before the hexadecimal point.
557Zeroes are always represented with a mantissa of 0 (preceded by a
558.Ql -
559if appropriate) and an exponent of
560.Li +0 .
561.It Cm C
562Treated as
563.Cm c
564with the
565.Cm l
566(ell) modifier.
567.It Cm c
568The
569.Vt int
570argument is converted to an
571.Vt "unsigned char" ,
572and the resulting character is written.
573.Pp
574If the
575.Cm l
576(ell) modifier is used, the
577.Vt wint_t
578argument shall be converted to a
579.Vt wchar_t ,
580and the (potentially multi-byte) sequence representing the
581single wide character is written, including any shift sequences.
582If a shift sequence is used, the shift state is also restored
583to the original state after the character.
584.It Cm S
585Treated as
586.Cm s
587with the
588.Cm l
589(ell) modifier.
590.It Cm s
591The
592.Vt "char *"
593argument is expected to be a pointer to an array of character type (pointer
594to a string).
595Characters from the array are written up to (but not including)
596a terminating
597.Dv NUL
598character;
599if a precision is specified, no more than the number specified are
600written.
601If a precision is given, no null character
602need be present; if the precision is not specified, or is greater than
603the size of the array, the array must contain a terminating
604.Dv NUL
605character.
606.Pp
607If the
608.Cm l
609(ell) modifier is used, the
610.Vt "wchar_t *"
611argument is expected to be a pointer to an array of wide characters
612(pointer to a wide string).
613For each wide character in the string, the (potentially multi-byte)
614sequence representing the
615wide character is written, including any shift sequences.
616If any shift sequence is used, the shift state is also restored
617to the original state after the string.
618Wide characters from the array are written up to (but not including)
619a terminating wide
620.Dv NUL
621character;
622if a precision is specified, no more than the number of bytes specified are
623written (including shift sequences).
624Partial characters are never written.
625If a precision is given, no null character
626need be present; if the precision is not specified, or is greater than
627the number of bytes required to render the multibyte representation of
628the string, the array must contain a terminating wide
629.Dv NUL
630character.
631.It Cm p
632The
633.Vt "void *"
634pointer argument is printed in hexadecimal (as if by
635.Ql %#x
636or
637.Ql %#lx ) .
638.It Cm n
639The number of characters written so far is stored into the
640integer indicated by the
641.Vt "int *"
642(or variant) pointer argument.
643No argument is converted.
644.It Cm %
645A
646.Ql %
647is written.
648No argument is converted.
649The complete conversion specification
650is
651.Ql %% .
652.El
653.Pp
654The decimal point
655character is defined in the program's locale (category
656.Dv LC_NUMERIC ) .
657.Pp
658In no case does a non-existent or small field width cause truncation of
659a numeric field; if the result of a conversion is wider than the field
660width, the
661field is expanded to contain the conversion result.
662.Sh RETURN VALUES
663These functions return the number of characters printed
664(not including the trailing
665.Ql \e0
666used to end output to strings),
667except for
668.Fn snprintf
669and
670.Fn vsnprintf ,
671which return the number of characters that would have been printed if the
672.Fa size
673were unlimited
674(again, not including the final
675.Ql \e0 ) .
676These functions return a negative value if an error occurs.
677.Sh EXAMPLES
678To print a date and time in the form
679.Dq Li "Sunday, July 3, 10:02" ,
680where
681.Fa weekday
682and
683.Fa month
684are pointers to strings:
685.Bd -literal -offset indent
686#include <stdio.h>
687fprintf(stdout, "%s, %s %d, %.2d:%.2d\en",
688	weekday, month, day, hour, min);
689.Ed
690.Pp
691To print \*(Pi
692to five decimal places:
693.Bd -literal -offset indent
694#include <math.h>
695#include <stdio.h>
696fprintf(stdout, "pi = %.5f\en", 4 * atan(1.0));
697.Ed
698.Pp
699To allocate a 128 byte string and print into it:
700.Bd -literal -offset indent
701#include <stdio.h>
702#include <stdlib.h>
703#include <stdarg.h>
704char *newfmt(const char *fmt, ...)
705{
706	char *p;
707	va_list ap;
708	if ((p = malloc(128)) == NULL)
709		return (NULL);
710	va_start(ap, fmt);
711	(void) vsnprintf(p, 128, fmt, ap);
712	va_end(ap);
713	return (p);
714}
715.Ed
716.Sh COMPATIBILITY
717The conversion formats
718.Cm \&%D , \&%O ,
719and
720.Cm \&%U
721are not standard and
722are provided only for backward compatibility.
723The effect of padding the
724.Cm %p
725format with zeros (either by the
726.Cm 0
727flag or by specifying a precision), and the benign effect (i.e., none)
728of the
729.Cm #
730flag on
731.Cm %n
732and
733.Cm %p
734conversions, as well as other
735nonsensical combinations such as
736.Cm %Ld ,
737are not standard; such combinations
738should be avoided.
739.Sh ERRORS
740In addition to the errors documented for the
741.Xr write 2
742system call, the
743.Fn printf
744family of functions may fail if:
745.Bl -tag -width Er
746.It Bq Er EILSEQ
747An invalid wide character code was encountered.
748.It Bq Er ENOMEM
749Insufficient storage space is available.
750.It Bq Er EOVERFLOW
751The
752.Fa size
753argument exceeds
754.Dv INT_MAX + 1 ,
755or the return value would be too large to be represented by an
756.Vt int .
757.El
758.Sh SEE ALSO
759.Xr printf 1 ,
760.Xr fmtcheck 3 ,
761.Xr scanf 3 ,
762.Xr setlocale 3 ,
763.Xr wprintf 3
764.Sh STANDARDS
765Subject to the caveats noted in the
766.Sx BUGS
767section below, the
768.Fn fprintf ,
769.Fn printf ,
770.Fn sprintf ,
771.Fn vprintf ,
772.Fn vfprintf ,
773and
774.Fn vsprintf
775functions
776conform to
777.St -ansiC
778and
779.St -isoC-99 .
780With the same reservation, the
781.Fn snprintf
782and
783.Fn vsnprintf
784functions conform to
785.St -isoC-99 ,
786while
787.Fn dprintf
788and
789.Fn vdprintf
790conform to
791.St -p1003.1-2008 .
792.Sh HISTORY
793The functions
794.Fn asprintf
795and
796.Fn vasprintf
797first appeared in the
798.Tn GNU C
799library.
800These were implemented by
801.An Peter Wemm Aq Mt peter@FreeBSD.org
802in
803.Fx 2.2 ,
804but were later replaced with a different implementation
805from
806.Ox 2.3
807by
808.An Todd C. Miller Aq Mt Todd.Miller@courtesan.com .
809The
810.Fn dprintf
811and
812.Fn vdprintf
813functions were added in
814.Fx 8.0 .
815.Sh BUGS
816The
817.Nm
818family of functions do not correctly handle multibyte characters in the
819.Fa format
820argument.
821.Sh SECURITY CONSIDERATIONS
822The
823.Fn sprintf
824and
825.Fn vsprintf
826functions are easily misused in a manner which enables malicious users
827to arbitrarily change a running program's functionality through
828a buffer overflow attack.
829Because
830.Fn sprintf
831and
832.Fn vsprintf
833assume an infinitely long string,
834callers must be careful not to overflow the actual space;
835this is often hard to assure.
836For safety, programmers should use the
837.Fn snprintf
838interface instead.
839For example:
840.Bd -literal
841void
842foo(const char *arbitrary_string, const char *and_another)
843{
844	char onstack[8];
845
846#ifdef BAD
847	/*
848	 * This first sprintf is bad behavior.  Do not use sprintf!
849	 */
850	sprintf(onstack, "%s, %s", arbitrary_string, and_another);
851#else
852	/*
853	 * The following two lines demonstrate better use of
854	 * snprintf().
855	 */
856	snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string,
857	    and_another);
858#endif
859}
860.Ed
861.Pp
862The
863.Fn printf
864and
865.Fn sprintf
866family of functions are also easily misused in a manner
867allowing malicious users to arbitrarily change a running program's
868functionality by either causing the program
869to print potentially sensitive data
870.Dq "left on the stack" ,
871or causing it to generate a memory fault or bus error
872by dereferencing an invalid pointer.
873.Pp
874.Cm %n
875can be used to write arbitrary data to potentially carefully-selected
876addresses.
877Programmers are therefore strongly advised to never pass untrusted strings
878as the
879.Fa format
880argument, as an attacker can put format specifiers in the string
881to mangle your stack,
882leading to a possible security hole.
883This holds true even if the string was built using a function like
884.Fn snprintf ,
885as the resulting string may still contain user-supplied conversion specifiers
886for later interpolation by
887.Fn printf .
888.Pp
889Always use the proper secure idiom:
890.Pp
891.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);"
892