xref: /freebsd/lib/libc/stdio/printf.3 (revision b85e1f7d05ac7889868f2364474e02b6a024af25)
1.\" Copyright (c) 1990, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" This code is derived from software contributed to Berkeley by
5.\" Chris Torek and the American National Standards Committee X3,
6.\" on Information Processing Systems.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\"    notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\"    notice, this list of conditions and the following disclaimer in the
15.\"    documentation and/or other materials provided with the distribution.
16.\" 4. Neither the name of the University nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\"     @(#)printf.3	8.1 (Berkeley) 6/4/93
33.\" $FreeBSD$
34.\"
35.Dd December 2, 2009
36.Dt PRINTF 3
37.Os
38.Sh NAME
39.Nm printf , fprintf , sprintf , snprintf , asprintf , dprintf ,
40.Nm vprintf , vfprintf, vsprintf , vsnprintf , vasprintf, vdprintf
41.Nd formatted output conversion
42.Sh LIBRARY
43.Lb libc
44.Sh SYNOPSIS
45.Fd "#define _WITH_DPRINTF"
46.In stdio.h
47.Ft int
48.Fn printf "const char * restrict format" ...
49.Ft int
50.Fn fprintf "FILE * restrict stream" "const char * restrict format" ...
51.Ft int
52.Fn sprintf "char * restrict str" "const char * restrict format" ...
53.Ft int
54.Fn snprintf "char * restrict str" "size_t size" "const char * restrict format" ...
55.Ft int
56.Fn asprintf "char **ret" "const char *format" ...
57.Ft int
58.Fn dprintf "int fd" "const char * restrict format" ...
59.In stdarg.h
60.Ft int
61.Fn vprintf "const char * restrict format" "va_list ap"
62.Ft int
63.Fn vfprintf "FILE * restrict stream" "const char * restrict format" "va_list ap"
64.Ft int
65.Fn vsprintf "char * restrict str" "const char * restrict format" "va_list ap"
66.Ft int
67.Fn vsnprintf "char * restrict str" "size_t size" "const char * restrict format" "va_list ap"
68.Ft int
69.Fn vasprintf "char **ret" "const char *format" "va_list ap"
70.Ft int
71.Fn vdprintf "int fd" "const char * restrict format" "va_list ap"
72.Sh DESCRIPTION
73The
74.Fn printf
75family of functions produces output according to a
76.Fa format
77as described below.
78The
79.Fn printf
80and
81.Fn vprintf
82functions
83write output to
84.Dv stdout ,
85the standard output stream;
86.Fn fprintf
87and
88.Fn vfprintf
89write output to the given output
90.Fa stream ;
91.Fn dprintf
92and
93.Fn vdprintf
94write output to the given file descriptor;
95.Fn sprintf ,
96.Fn snprintf ,
97.Fn vsprintf ,
98and
99.Fn vsnprintf
100write to the character string
101.Fa str ;
102and
103.Fn asprintf
104and
105.Fn vasprintf
106dynamically allocate a new string with
107.Xr malloc 3 .
108.Pp
109These functions write the output under the control of a
110.Fa format
111string that specifies how subsequent arguments
112(or arguments accessed via the variable-length argument facilities of
113.Xr stdarg 3 )
114are converted for output.
115.Pp
116The
117.Fn asprintf
118and
119.Fn vasprintf
120functions
121set
122.Fa *ret
123to be a pointer to a buffer sufficiently large to hold the formatted string.
124This pointer should be passed to
125.Xr free 3
126to release the allocated storage when it is no longer needed.
127If sufficient space cannot be allocated,
128.Fn asprintf
129and
130.Fn vasprintf
131will return \-1 and set
132.Fa ret
133to be a
134.Dv NULL
135pointer.
136.Pp
137The
138.Fn snprintf
139and
140.Fn vsnprintf
141functions
142will write at most
143.Fa size Ns \-1
144of the characters printed into the output string
145(the
146.Fa size Ns 'th
147character then gets the terminating
148.Ql \e0 ) ;
149if the return value is greater than or equal to the
150.Fa size
151argument, the string was too short
152and some of the printed characters were discarded.
153The output is always null-terminated, unless
154.Fa size
155is 0.
156.Pp
157The
158.Fn sprintf
159and
160.Fn vsprintf
161functions
162effectively assume a
163.Fa size
164of
165.Dv INT_MAX + 1.
166.Pp
167The format string is composed of zero or more directives:
168ordinary
169.\" multibyte
170characters (not
171.Cm % ) ,
172which are copied unchanged to the output stream;
173and conversion specifications, each of which results
174in fetching zero or more subsequent arguments.
175Each conversion specification is introduced by
176the
177.Cm %
178character.
179The arguments must correspond properly (after type promotion)
180with the conversion specifier.
181After the
182.Cm % ,
183the following appear in sequence:
184.Bl -bullet
185.It
186An optional field, consisting of a decimal digit string followed by a
187.Cm $ ,
188specifying the next argument to access.
189If this field is not provided, the argument following the last
190argument accessed will be used.
191Arguments are numbered starting at
192.Cm 1 .
193If unaccessed arguments in the format string are interspersed with ones that
194are accessed the results will be indeterminate.
195.It
196Zero or more of the following flags:
197.Bl -tag -width ".So \  Sc (space)"
198.It Sq Cm #
199The value should be converted to an
200.Dq alternate form .
201For
202.Cm c , d , i , n , p , s ,
203and
204.Cm u
205conversions, this option has no effect.
206For
207.Cm o
208conversions, the precision of the number is increased to force the first
209character of the output string to a zero.
210For
211.Cm x
212and
213.Cm X
214conversions, a non-zero result has the string
215.Ql 0x
216(or
217.Ql 0X
218for
219.Cm X
220conversions) prepended to it.
221For
222.Cm a , A , e , E , f , F , g ,
223and
224.Cm G
225conversions, the result will always contain a decimal point, even if no
226digits follow it (normally, a decimal point appears in the results of
227those conversions only if a digit follows).
228For
229.Cm g
230and
231.Cm G
232conversions, trailing zeros are not removed from the result as they
233would otherwise be.
234.It So Cm 0 Sc (zero)
235Zero padding.
236For all conversions except
237.Cm n ,
238the converted value is padded on the left with zeros rather than blanks.
239If a precision is given with a numeric conversion
240.Cm ( d , i , o , u , i , x ,
241and
242.Cm X ) ,
243the
244.Cm 0
245flag is ignored.
246.It Sq Cm \-
247A negative field width flag;
248the converted value is to be left adjusted on the field boundary.
249Except for
250.Cm n
251conversions, the converted value is padded on the right with blanks,
252rather than on the left with blanks or zeros.
253A
254.Cm \-
255overrides a
256.Cm 0
257if both are given.
258.It So "\ " Sc (space)
259A blank should be left before a positive number
260produced by a signed conversion
261.Cm ( a , A , d , e , E , f , F , g , G ,
262or
263.Cm i ) .
264.It Sq Cm +
265A sign must always be placed before a
266number produced by a signed conversion.
267A
268.Cm +
269overrides a space if both are used.
270.It So "'" Sc (apostrophe)
271Decimal conversions
272.Cm ( d , u ,
273or
274.Cm i )
275or the integral portion of a floating point conversion
276.Cm ( f
277or
278.Cm F )
279should be grouped and separated by thousands using
280the non-monetary separator returned by
281.Xr localeconv 3 .
282.El
283.It
284An optional decimal digit string specifying a minimum field width.
285If the converted value has fewer characters than the field width, it will
286be padded with spaces on the left (or right, if the left-adjustment
287flag has been given) to fill out
288the field width.
289.It
290An optional precision, in the form of a period
291.Cm \&.
292followed by an
293optional digit string.
294If the digit string is omitted, the precision is taken as zero.
295This gives the minimum number of digits to appear for
296.Cm d , i , o , u , x ,
297and
298.Cm X
299conversions, the number of digits to appear after the decimal-point for
300.Cm a , A , e , E , f ,
301and
302.Cm F
303conversions, the maximum number of significant digits for
304.Cm g
305and
306.Cm G
307conversions, or the maximum number of characters to be printed from a
308string for
309.Cm s
310conversions.
311.It
312An optional length modifier, that specifies the size of the argument.
313The following length modifiers are valid for the
314.Cm d , i , n , o , u , x ,
315or
316.Cm X
317conversion:
318.Bl -column ".Cm q Em (deprecated)" ".Vt signed char" ".Vt unsigned long long" ".Vt long long *"
319.It Sy Modifier Ta Cm d , i Ta Cm o , u , x , X Ta Cm n
320.It Cm hh Ta Vt "signed char" Ta Vt "unsigned char" Ta Vt "signed char *"
321.It Cm h Ta Vt short Ta Vt "unsigned short" Ta Vt "short *"
322.It Cm l No (ell) Ta Vt long Ta Vt "unsigned long" Ta Vt "long *"
323.It Cm ll No (ell ell) Ta Vt "long long" Ta Vt "unsigned long long" Ta Vt "long long *"
324.It Cm j Ta Vt intmax_t Ta Vt uintmax_t Ta Vt "intmax_t *"
325.It Cm t Ta Vt ptrdiff_t Ta (see note) Ta Vt "ptrdiff_t *"
326.It Cm z Ta (see note) Ta Vt size_t Ta (see note)
327.It Cm q Em (deprecated) Ta Vt quad_t Ta Vt u_quad_t Ta Vt "quad_t *"
328.El
329.Pp
330Note:
331the
332.Cm t
333modifier, when applied to a
334.Cm o , u , x ,
335or
336.Cm X
337conversion, indicates that the argument is of an unsigned type
338equivalent in size to a
339.Vt ptrdiff_t .
340The
341.Cm z
342modifier, when applied to a
343.Cm d
344or
345.Cm i
346conversion, indicates that the argument is of a signed type equivalent in
347size to a
348.Vt size_t .
349Similarly, when applied to an
350.Cm n
351conversion, it indicates that the argument is a pointer to a signed type
352equivalent in size to a
353.Vt size_t .
354.Pp
355The following length modifier is valid for the
356.Cm a , A , e , E , f , F , g ,
357or
358.Cm G
359conversion:
360.Bl -column ".Sy Modifier" ".Cm a , A , e , E , f , F , g , G"
361.It Sy Modifier Ta Cm a , A , e , E , f , F , g , G
362.It Cm l No (ell) Ta Vt double
363(ignored, same behavior as without it)
364.It Cm L Ta Vt "long double"
365.El
366.Pp
367The following length modifier is valid for the
368.Cm c
369or
370.Cm s
371conversion:
372.Bl -column ".Sy Modifier" ".Vt wint_t" ".Vt wchar_t *"
373.It Sy Modifier Ta Cm c Ta Cm s
374.It Cm l No (ell) Ta Vt wint_t Ta Vt "wchar_t *"
375.El
376.It
377A character that specifies the type of conversion to be applied.
378.El
379.Pp
380A field width or precision, or both, may be indicated by
381an asterisk
382.Ql *
383or an asterisk followed by one or more decimal digits and a
384.Ql $
385instead of a
386digit string.
387In this case, an
388.Vt int
389argument supplies the field width or precision.
390A negative field width is treated as a left adjustment flag followed by a
391positive field width; a negative precision is treated as though it were
392missing.
393If a single format directive mixes positional
394.Pq Li nn$
395and non-positional arguments, the results are undefined.
396.Pp
397The conversion specifiers and their meanings are:
398.Bl -tag -width ".Cm diouxX"
399.It Cm diouxX
400The
401.Vt int
402(or appropriate variant) argument is converted to signed decimal
403.Cm ( d
404and
405.Cm i ) ,
406unsigned octal
407.Pq Cm o ,
408unsigned decimal
409.Pq Cm u ,
410or unsigned hexadecimal
411.Cm ( x
412and
413.Cm X )
414notation.
415The letters
416.Dq Li abcdef
417are used for
418.Cm x
419conversions; the letters
420.Dq Li ABCDEF
421are used for
422.Cm X
423conversions.
424The precision, if any, gives the minimum number of digits that must
425appear; if the converted value requires fewer digits, it is padded on
426the left with zeros.
427.It Cm DOU
428The
429.Vt "long int"
430argument is converted to signed decimal, unsigned octal, or unsigned
431decimal, as if the format had been
432.Cm ld , lo ,
433or
434.Cm lu
435respectively.
436These conversion characters are deprecated, and will eventually disappear.
437.It Cm eE
438The
439.Vt double
440argument is rounded and converted in the style
441.Sm off
442.Oo \- Oc Ar d Li \&. Ar ddd Li e \(+- Ar dd
443.Sm on
444where there is one digit before the
445decimal-point character
446and the number of digits after it is equal to the precision;
447if the precision is missing,
448it is taken as 6; if the precision is
449zero, no decimal-point character appears.
450An
451.Cm E
452conversion uses the letter
453.Ql E
454(rather than
455.Ql e )
456to introduce the exponent.
457The exponent always contains at least two digits; if the value is zero,
458the exponent is 00.
459.Pp
460For
461.Cm a , A , e , E , f , F , g ,
462and
463.Cm G
464conversions, positive and negative infinity are represented as
465.Li inf
466and
467.Li -inf
468respectively when using the lowercase conversion character, and
469.Li INF
470and
471.Li -INF
472respectively when using the uppercase conversion character.
473Similarly, NaN is represented as
474.Li nan
475when using the lowercase conversion, and
476.Li NAN
477when using the uppercase conversion.
478.It Cm fF
479The
480.Vt double
481argument is rounded and converted to decimal notation in the style
482.Sm off
483.Oo \- Oc Ar ddd Li \&. Ar ddd ,
484.Sm on
485where the number of digits after the decimal-point character
486is equal to the precision specification.
487If the precision is missing, it is taken as 6; if the precision is
488explicitly zero, no decimal-point character appears.
489If a decimal point appears, at least one digit appears before it.
490.It Cm gG
491The
492.Vt double
493argument is converted in style
494.Cm f
495or
496.Cm e
497(or
498.Cm F
499or
500.Cm E
501for
502.Cm G
503conversions).
504The precision specifies the number of significant digits.
505If the precision is missing, 6 digits are given; if the precision is zero,
506it is treated as 1.
507Style
508.Cm e
509is used if the exponent from its conversion is less than \-4 or greater than
510or equal to the precision.
511Trailing zeros are removed from the fractional part of the result; a
512decimal point appears only if it is followed by at least one digit.
513.It Cm aA
514The
515.Vt double
516argument is rounded and converted to hexadecimal notation in the style
517.Sm off
518.Oo \- Oc Li 0x Ar h Li \&. Ar hhhp Oo \(+- Oc Ar d ,
519.Sm on
520where the number of digits after the hexadecimal-point character
521is equal to the precision specification.
522If the precision is missing, it is taken as enough to represent
523the floating-point number exactly, and no rounding occurs.
524If the precision is zero, no hexadecimal-point character appears.
525The
526.Cm p
527is a literal character
528.Ql p ,
529and the exponent consists of a positive or negative sign
530followed by a decimal number representing an exponent of 2.
531The
532.Cm A
533conversion uses the prefix
534.Dq Li 0X
535(rather than
536.Dq Li 0x ) ,
537the letters
538.Dq Li ABCDEF
539(rather than
540.Dq Li abcdef )
541to represent the hex digits, and the letter
542.Ql P
543(rather than
544.Ql p )
545to separate the mantissa and exponent.
546.Pp
547Note that there may be multiple valid ways to represent floating-point
548numbers in this hexadecimal format.
549For example,
550.Li 0x1.92p+1 , 0x3.24p+0 , 0x6.48p-1 ,
551and
552.Li 0xc.9p-2
553are all equivalent.
554.Fx 8.0
555and later always prints finite non-zero numbers using
556.Ql 1
557as the digit before the hexadecimal point.
558Zeroes are always represented with a mantissa of 0 (preceded by a
559.Ql -
560if appropriate) and an exponent of
561.Li +0 .
562.It Cm C
563Treated as
564.Cm c
565with the
566.Cm l
567(ell) modifier.
568.It Cm c
569The
570.Vt int
571argument is converted to an
572.Vt "unsigned char" ,
573and the resulting character is written.
574.Pp
575If the
576.Cm l
577(ell) modifier is used, the
578.Vt wint_t
579argument shall be converted to a
580.Vt wchar_t ,
581and the (potentially multi-byte) sequence representing the
582single wide character is written, including any shift sequences.
583If a shift sequence is used, the shift state is also restored
584to the original state after the character.
585.It Cm S
586Treated as
587.Cm s
588with the
589.Cm l
590(ell) modifier.
591.It Cm s
592The
593.Vt "char *"
594argument is expected to be a pointer to an array of character type (pointer
595to a string).
596Characters from the array are written up to (but not including)
597a terminating
598.Dv NUL
599character;
600if a precision is specified, no more than the number specified are
601written.
602If a precision is given, no null character
603need be present; if the precision is not specified, or is greater than
604the size of the array, the array must contain a terminating
605.Dv NUL
606character.
607.Pp
608If the
609.Cm l
610(ell) modifier is used, the
611.Vt "wchar_t *"
612argument is expected to be a pointer to an array of wide characters
613(pointer to a wide string).
614For each wide character in the string, the (potentially multi-byte)
615sequence representing the
616wide character is written, including any shift sequences.
617If any shift sequence is used, the shift state is also restored
618to the original state after the string.
619Wide characters from the array are written up to (but not including)
620a terminating wide
621.Dv NUL
622character;
623if a precision is specified, no more than the number of bytes specified are
624written (including shift sequences).
625Partial characters are never written.
626If a precision is given, no null character
627need be present; if the precision is not specified, or is greater than
628the number of bytes required to render the multibyte representation of
629the string, the array must contain a terminating wide
630.Dv NUL
631character.
632.It Cm p
633The
634.Vt "void *"
635pointer argument is printed in hexadecimal (as if by
636.Ql %#x
637or
638.Ql %#lx ) .
639.It Cm n
640The number of characters written so far is stored into the
641integer indicated by the
642.Vt "int *"
643(or variant) pointer argument.
644No argument is converted.
645.It Cm %
646A
647.Ql %
648is written.
649No argument is converted.
650The complete conversion specification
651is
652.Ql %% .
653.El
654.Pp
655The decimal point
656character is defined in the program's locale (category
657.Dv LC_NUMERIC ) .
658.Pp
659In no case does a non-existent or small field width cause truncation of
660a numeric field; if the result of a conversion is wider than the field
661width, the
662field is expanded to contain the conversion result.
663.Sh RETURN VALUES
664These functions return the number of characters printed
665(not including the trailing
666.Ql \e0
667used to end output to strings),
668except for
669.Fn snprintf
670and
671.Fn vsnprintf ,
672which return the number of characters that would have been printed if the
673.Fa size
674were unlimited
675(again, not including the final
676.Ql \e0 ) .
677These functions return a negative value if an error occurs.
678.Sh EXAMPLES
679To print a date and time in the form
680.Dq Li "Sunday, July 3, 10:02" ,
681where
682.Fa weekday
683and
684.Fa month
685are pointers to strings:
686.Bd -literal -offset indent
687#include <stdio.h>
688fprintf(stdout, "%s, %s %d, %.2d:%.2d\en",
689	weekday, month, day, hour, min);
690.Ed
691.Pp
692To print \*(Pi
693to five decimal places:
694.Bd -literal -offset indent
695#include <math.h>
696#include <stdio.h>
697fprintf(stdout, "pi = %.5f\en", 4 * atan(1.0));
698.Ed
699.Pp
700To allocate a 128 byte string and print into it:
701.Bd -literal -offset indent
702#include <stdio.h>
703#include <stdlib.h>
704#include <stdarg.h>
705char *newfmt(const char *fmt, ...)
706{
707	char *p;
708	va_list ap;
709	if ((p = malloc(128)) == NULL)
710		return (NULL);
711	va_start(ap, fmt);
712	(void) vsnprintf(p, 128, fmt, ap);
713	va_end(ap);
714	return (p);
715}
716.Ed
717.Sh COMPATIBILITY
718Many application writers used the name
719.Va dprintf
720before the
721.Fn dprintf
722function was introduced in
723.St -p1003.1 ,
724so a prototype is not provided by default in order to avoid
725compatibility problems.
726Applications that wish to use the
727.Fn dprintf
728function described herein should either request a strict
729.St -p1003.1-2008
730environment by defining the macro
731.Dv _POSIX_C_SOURCE
732to the value 200809 or greater, or by defining the macro
733.Dv _WITH_DPRINTF ,
734prior to the inclusion of
735.In stdio.h .
736For compatibility with GNU libc, defining either
737.Dv _BSD_SOURCE
738or
739.Dv _GNU_SOURCE
740prior to the inclusion of
741.In stdio.h
742will also make
743.Fn dprintf
744available.
745.Pp
746The conversion formats
747.Cm \&%D , \&%O ,
748and
749.Cm \&%U
750are not standard and
751are provided only for backward compatibility.
752The effect of padding the
753.Cm %p
754format with zeros (either by the
755.Cm 0
756flag or by specifying a precision), and the benign effect (i.e., none)
757of the
758.Cm #
759flag on
760.Cm %n
761and
762.Cm %p
763conversions, as well as other
764nonsensical combinations such as
765.Cm %Ld ,
766are not standard; such combinations
767should be avoided.
768.Sh ERRORS
769In addition to the errors documented for the
770.Xr write 2
771system call, the
772.Fn printf
773family of functions may fail if:
774.Bl -tag -width Er
775.It Bq Er EILSEQ
776An invalid wide character code was encountered.
777.It Bq Er ENOMEM
778Insufficient storage space is available.
779.It Bq Er EOVERFLOW
780The
781.Fa size
782argument exceeds
783.Dv INT_MAX + 1 ,
784or the return value would be too large to be represented by an
785.Vt int .
786.El
787.Sh SEE ALSO
788.Xr printf 1 ,
789.Xr fmtcheck 3 ,
790.Xr scanf 3 ,
791.Xr setlocale 3 ,
792.Xr wprintf 3
793.Sh STANDARDS
794Subject to the caveats noted in the
795.Sx BUGS
796section below, the
797.Fn fprintf ,
798.Fn printf ,
799.Fn sprintf ,
800.Fn vprintf ,
801.Fn vfprintf ,
802and
803.Fn vsprintf
804functions
805conform to
806.St -ansiC
807and
808.St -isoC-99 .
809With the same reservation, the
810.Fn snprintf
811and
812.Fn vsnprintf
813functions conform to
814.St -isoC-99 ,
815while
816.Fn dprintf
817and
818.Fn vdprintf
819conform to
820.St -p1003.1-2008 .
821.Sh HISTORY
822The functions
823.Fn asprintf
824and
825.Fn vasprintf
826first appeared in the
827.Tn GNU C
828library.
829These were implemented by
830.An Peter Wemm Aq peter@FreeBSD.org
831in
832.Fx 2.2 ,
833but were later replaced with a different implementation
834from
835.Ox 2.3
836by
837.An Todd C. Miller Aq Todd.Miller@courtesan.com .
838The
839.Fn dprintf
840and
841.Fn vdprintf
842functions were added in
843.Fx 8.0 .
844.Sh BUGS
845The
846.Nm
847family of functions do not correctly handle multibyte characters in the
848.Fa format
849argument.
850.Sh SECURITY CONSIDERATIONS
851The
852.Fn sprintf
853and
854.Fn vsprintf
855functions are easily misused in a manner which enables malicious users
856to arbitrarily change a running program's functionality through
857a buffer overflow attack.
858Because
859.Fn sprintf
860and
861.Fn vsprintf
862assume an infinitely long string,
863callers must be careful not to overflow the actual space;
864this is often hard to assure.
865For safety, programmers should use the
866.Fn snprintf
867interface instead.
868For example:
869.Bd -literal
870void
871foo(const char *arbitrary_string, const char *and_another)
872{
873	char onstack[8];
874
875#ifdef BAD
876	/*
877	 * This first sprintf is bad behavior.  Do not use sprintf!
878	 */
879	sprintf(onstack, "%s, %s", arbitrary_string, and_another);
880#else
881	/*
882	 * The following two lines demonstrate better use of
883	 * snprintf().
884	 */
885	snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string,
886	    and_another);
887#endif
888}
889.Ed
890.Pp
891The
892.Fn printf
893and
894.Fn sprintf
895family of functions are also easily misused in a manner
896allowing malicious users to arbitrarily change a running program's
897functionality by either causing the program
898to print potentially sensitive data
899.Dq "left on the stack" ,
900or causing it to generate a memory fault or bus error
901by dereferencing an invalid pointer.
902.Pp
903.Cm %n
904can be used to write arbitrary data to potentially carefully-selected
905addresses.
906Programmers are therefore strongly advised to never pass untrusted strings
907as the
908.Fa format
909argument, as an attacker can put format specifiers in the string
910to mangle your stack,
911leading to a possible security hole.
912This holds true even if the string was built using a function like
913.Fn snprintf ,
914as the resulting string may still contain user-supplied conversion specifiers
915for later interpolation by
916.Fn printf .
917.Pp
918Always use the proper secure idiom:
919.Pp
920.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);"
921