1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" This code is derived from software contributed to Berkeley by 5.\" Chris Torek and the American National Standards Committee X3, 6.\" on Information Processing Systems. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)printf.3 8.1 (Berkeley) 6/4/93 33.\" $FreeBSD$ 34.\" 35.Dd December 2, 2009 36.Dt PRINTF 3 37.Os 38.Sh NAME 39.Nm printf , fprintf , sprintf , snprintf , asprintf , dprintf , 40.Nm vprintf , vfprintf, vsprintf , vsnprintf , vasprintf, vdprintf 41.Nd formatted output conversion 42.Sh LIBRARY 43.Lb libc 44.Sh SYNOPSIS 45.Fd "#define _WITH_DPRINTF" 46.In stdio.h 47.Ft int 48.Fn printf "const char * restrict format" ... 49.Ft int 50.Fn fprintf "FILE * restrict stream" "const char * restrict format" ... 51.Ft int 52.Fn sprintf "char * restrict str" "const char * restrict format" ... 53.Ft int 54.Fn snprintf "char * restrict str" "size_t size" "const char * restrict format" ... 55.Ft int 56.Fn asprintf "char **ret" "const char *format" ... 57.Ft int 58.Fn dprintf "int fd" "const char * restrict format" ... 59.In stdarg.h 60.Ft int 61.Fn vprintf "const char * restrict format" "va_list ap" 62.Ft int 63.Fn vfprintf "FILE * restrict stream" "const char * restrict format" "va_list ap" 64.Ft int 65.Fn vsprintf "char * restrict str" "const char * restrict format" "va_list ap" 66.Ft int 67.Fn vsnprintf "char * restrict str" "size_t size" "const char * restrict format" "va_list ap" 68.Ft int 69.Fn vasprintf "char **ret" "const char *format" "va_list ap" 70.Ft int 71.Fn vdprintf "int fd" "const char * restrict format" "va_list ap" 72.Sh DESCRIPTION 73The 74.Fn printf 75family of functions produces output according to a 76.Fa format 77as described below. 78The 79.Fn printf 80and 81.Fn vprintf 82functions 83write output to 84.Dv stdout , 85the standard output stream; 86.Fn fprintf 87and 88.Fn vfprintf 89write output to the given output 90.Fa stream ; 91.Fn dprintf 92and 93.Fn vdprintf 94write output to the given file descriptor; 95.Fn sprintf , 96.Fn snprintf , 97.Fn vsprintf , 98and 99.Fn vsnprintf 100write to the character string 101.Fa str ; 102and 103.Fn asprintf 104and 105.Fn vasprintf 106dynamically allocate a new string with 107.Xr malloc 3 . 108.Pp 109These functions write the output under the control of a 110.Fa format 111string that specifies how subsequent arguments 112(or arguments accessed via the variable-length argument facilities of 113.Xr stdarg 3 ) 114are converted for output. 115.Pp 116The 117.Fn asprintf 118and 119.Fn vasprintf 120functions 121set 122.Fa *ret 123to be a pointer to a buffer sufficiently large to hold the formatted string. 124This pointer should be passed to 125.Xr free 3 126to release the allocated storage when it is no longer needed. 127If sufficient space cannot be allocated, 128.Fn asprintf 129and 130.Fn vasprintf 131will return \-1 and set 132.Fa ret 133to be a 134.Dv NULL 135pointer. 136.Pp 137The 138.Fn snprintf 139and 140.Fn vsnprintf 141functions 142will write at most 143.Fa size Ns \-1 144of the characters printed into the output string 145(the 146.Fa size Ns 'th 147character then gets the terminating 148.Ql \e0 ) ; 149if the return value is greater than or equal to the 150.Fa size 151argument, the string was too short 152and some of the printed characters were discarded. 153The output is always null-terminated, unless 154.Fa size 155is 0. 156.Pp 157The 158.Fn sprintf 159and 160.Fn vsprintf 161functions 162effectively assume a 163.Fa size 164of 165.Dv INT_MAX + 1. 166.Pp 167The format string is composed of zero or more directives: 168ordinary 169.\" multibyte 170characters (not 171.Cm % ) , 172which are copied unchanged to the output stream; 173and conversion specifications, each of which results 174in fetching zero or more subsequent arguments. 175Each conversion specification is introduced by 176the 177.Cm % 178character. 179The arguments must correspond properly (after type promotion) 180with the conversion specifier. 181After the 182.Cm % , 183the following appear in sequence: 184.Bl -bullet 185.It 186An optional field, consisting of a decimal digit string followed by a 187.Cm $ , 188specifying the next argument to access. 189If this field is not provided, the argument following the last 190argument accessed will be used. 191Arguments are numbered starting at 192.Cm 1 . 193If unaccessed arguments in the format string are interspersed with ones that 194are accessed the results will be indeterminate. 195.It 196Zero or more of the following flags: 197.Bl -tag -width ".So \ Sc (space)" 198.It Sq Cm # 199The value should be converted to an 200.Dq alternate form . 201For 202.Cm c , d , i , n , p , s , 203and 204.Cm u 205conversions, this option has no effect. 206For 207.Cm o 208conversions, the precision of the number is increased to force the first 209character of the output string to a zero. 210For 211.Cm x 212and 213.Cm X 214conversions, a non-zero result has the string 215.Ql 0x 216(or 217.Ql 0X 218for 219.Cm X 220conversions) prepended to it. 221For 222.Cm a , A , e , E , f , F , g , 223and 224.Cm G 225conversions, the result will always contain a decimal point, even if no 226digits follow it (normally, a decimal point appears in the results of 227those conversions only if a digit follows). 228For 229.Cm g 230and 231.Cm G 232conversions, trailing zeros are not removed from the result as they 233would otherwise be. 234.It So Cm 0 Sc (zero) 235Zero padding. 236For all conversions except 237.Cm n , 238the converted value is padded on the left with zeros rather than blanks. 239If a precision is given with a numeric conversion 240.Cm ( d , i , o , u , i , x , 241and 242.Cm X ) , 243the 244.Cm 0 245flag is ignored. 246.It Sq Cm \- 247A negative field width flag; 248the converted value is to be left adjusted on the field boundary. 249Except for 250.Cm n 251conversions, the converted value is padded on the right with blanks, 252rather than on the left with blanks or zeros. 253A 254.Cm \- 255overrides a 256.Cm 0 257if both are given. 258.It So "\ " Sc (space) 259A blank should be left before a positive number 260produced by a signed conversion 261.Cm ( a , A , d , e , E , f , F , g , G , 262or 263.Cm i ) . 264.It Sq Cm + 265A sign must always be placed before a 266number produced by a signed conversion. 267A 268.Cm + 269overrides a space if both are used. 270.It So "'" Sc (apostrophe) 271Decimal conversions 272.Cm ( d , u , 273or 274.Cm i ) 275or the integral portion of a floating point conversion 276.Cm ( f 277or 278.Cm F ) 279should be grouped and separated by thousands using 280the non-monetary separator returned by 281.Xr localeconv 3 . 282.El 283.It 284An optional decimal digit string specifying a minimum field width. 285If the converted value has fewer characters than the field width, it will 286be padded with spaces on the left (or right, if the left-adjustment 287flag has been given) to fill out 288the field width. 289.It 290An optional precision, in the form of a period 291.Cm \&. 292followed by an 293optional digit string. 294If the digit string is omitted, the precision is taken as zero. 295This gives the minimum number of digits to appear for 296.Cm d , i , o , u , x , 297and 298.Cm X 299conversions, the number of digits to appear after the decimal-point for 300.Cm a , A , e , E , f , 301and 302.Cm F 303conversions, the maximum number of significant digits for 304.Cm g 305and 306.Cm G 307conversions, or the maximum number of characters to be printed from a 308string for 309.Cm s 310conversions. 311.It 312An optional length modifier, that specifies the size of the argument. 313The following length modifiers are valid for the 314.Cm d , i , n , o , u , x , 315or 316.Cm X 317conversion: 318.Bl -column ".Cm q Em (deprecated)" ".Vt signed char" ".Vt unsigned long long" ".Vt long long *" 319.It Sy Modifier Ta Cm d , i Ta Cm o , u , x , X Ta Cm n 320.It Cm hh Ta Vt "signed char" Ta Vt "unsigned char" Ta Vt "signed char *" 321.It Cm h Ta Vt short Ta Vt "unsigned short" Ta Vt "short *" 322.It Cm l No (ell) Ta Vt long Ta Vt "unsigned long" Ta Vt "long *" 323.It Cm ll No (ell ell) Ta Vt "long long" Ta Vt "unsigned long long" Ta Vt "long long *" 324.It Cm j Ta Vt intmax_t Ta Vt uintmax_t Ta Vt "intmax_t *" 325.It Cm t Ta Vt ptrdiff_t Ta (see note) Ta Vt "ptrdiff_t *" 326.It Cm z Ta (see note) Ta Vt size_t Ta (see note) 327.It Cm q Em (deprecated) Ta Vt quad_t Ta Vt u_quad_t Ta Vt "quad_t *" 328.El 329.Pp 330Note: 331the 332.Cm t 333modifier, when applied to a 334.Cm o , u , x , 335or 336.Cm X 337conversion, indicates that the argument is of an unsigned type 338equivalent in size to a 339.Vt ptrdiff_t . 340The 341.Cm z 342modifier, when applied to a 343.Cm d 344or 345.Cm i 346conversion, indicates that the argument is of a signed type equivalent in 347size to a 348.Vt size_t . 349Similarly, when applied to an 350.Cm n 351conversion, it indicates that the argument is a pointer to a signed type 352equivalent in size to a 353.Vt size_t . 354.Pp 355The following length modifier is valid for the 356.Cm a , A , e , E , f , F , g , 357or 358.Cm G 359conversion: 360.Bl -column ".Sy Modifier" ".Cm a , A , e , E , f , F , g , G" 361.It Sy Modifier Ta Cm a , A , e , E , f , F , g , G 362.It Cm l No (ell) Ta Vt double 363(ignored, same behavior as without it) 364.It Cm L Ta Vt "long double" 365.El 366.Pp 367The following length modifier is valid for the 368.Cm c 369or 370.Cm s 371conversion: 372.Bl -column ".Sy Modifier" ".Vt wint_t" ".Vt wchar_t *" 373.It Sy Modifier Ta Cm c Ta Cm s 374.It Cm l No (ell) Ta Vt wint_t Ta Vt "wchar_t *" 375.El 376.It 377A character that specifies the type of conversion to be applied. 378.El 379.Pp 380A field width or precision, or both, may be indicated by 381an asterisk 382.Ql * 383or an asterisk followed by one or more decimal digits and a 384.Ql $ 385instead of a 386digit string. 387In this case, an 388.Vt int 389argument supplies the field width or precision. 390A negative field width is treated as a left adjustment flag followed by a 391positive field width; a negative precision is treated as though it were 392missing. 393If a single format directive mixes positional 394.Pq Li nn$ 395and non-positional arguments, the results are undefined. 396.Pp 397The conversion specifiers and their meanings are: 398.Bl -tag -width ".Cm diouxX" 399.It Cm diouxX 400The 401.Vt int 402(or appropriate variant) argument is converted to signed decimal 403.Cm ( d 404and 405.Cm i ) , 406unsigned octal 407.Pq Cm o , 408unsigned decimal 409.Pq Cm u , 410or unsigned hexadecimal 411.Cm ( x 412and 413.Cm X ) 414notation. 415The letters 416.Dq Li abcdef 417are used for 418.Cm x 419conversions; the letters 420.Dq Li ABCDEF 421are used for 422.Cm X 423conversions. 424The precision, if any, gives the minimum number of digits that must 425appear; if the converted value requires fewer digits, it is padded on 426the left with zeros. 427.It Cm DOU 428The 429.Vt "long int" 430argument is converted to signed decimal, unsigned octal, or unsigned 431decimal, as if the format had been 432.Cm ld , lo , 433or 434.Cm lu 435respectively. 436These conversion characters are deprecated, and will eventually disappear. 437.It Cm eE 438The 439.Vt double 440argument is rounded and converted in the style 441.Sm off 442.Oo \- Oc Ar d Li \&. Ar ddd Li e \(+- Ar dd 443.Sm on 444where there is one digit before the 445decimal-point character 446and the number of digits after it is equal to the precision; 447if the precision is missing, 448it is taken as 6; if the precision is 449zero, no decimal-point character appears. 450An 451.Cm E 452conversion uses the letter 453.Ql E 454(rather than 455.Ql e ) 456to introduce the exponent. 457The exponent always contains at least two digits; if the value is zero, 458the exponent is 00. 459.Pp 460For 461.Cm a , A , e , E , f , F , g , 462and 463.Cm G 464conversions, positive and negative infinity are represented as 465.Li inf 466and 467.Li -inf 468respectively when using the lowercase conversion character, and 469.Li INF 470and 471.Li -INF 472respectively when using the uppercase conversion character. 473Similarly, NaN is represented as 474.Li nan 475when using the lowercase conversion, and 476.Li NAN 477when using the uppercase conversion. 478.It Cm fF 479The 480.Vt double 481argument is rounded and converted to decimal notation in the style 482.Sm off 483.Oo \- Oc Ar ddd Li \&. Ar ddd , 484.Sm on 485where the number of digits after the decimal-point character 486is equal to the precision specification. 487If the precision is missing, it is taken as 6; if the precision is 488explicitly zero, no decimal-point character appears. 489If a decimal point appears, at least one digit appears before it. 490.It Cm gG 491The 492.Vt double 493argument is converted in style 494.Cm f 495or 496.Cm e 497(or 498.Cm F 499or 500.Cm E 501for 502.Cm G 503conversions). 504The precision specifies the number of significant digits. 505If the precision is missing, 6 digits are given; if the precision is zero, 506it is treated as 1. 507Style 508.Cm e 509is used if the exponent from its conversion is less than \-4 or greater than 510or equal to the precision. 511Trailing zeros are removed from the fractional part of the result; a 512decimal point appears only if it is followed by at least one digit. 513.It Cm aA 514The 515.Vt double 516argument is rounded and converted to hexadecimal notation in the style 517.Sm off 518.Oo \- Oc Li 0x Ar h Li \&. Ar hhhp Oo \(+- Oc Ar d , 519.Sm on 520where the number of digits after the hexadecimal-point character 521is equal to the precision specification. 522If the precision is missing, it is taken as enough to represent 523the floating-point number exactly, and no rounding occurs. 524If the precision is zero, no hexadecimal-point character appears. 525The 526.Cm p 527is a literal character 528.Ql p , 529and the exponent consists of a positive or negative sign 530followed by a decimal number representing an exponent of 2. 531The 532.Cm A 533conversion uses the prefix 534.Dq Li 0X 535(rather than 536.Dq Li 0x ) , 537the letters 538.Dq Li ABCDEF 539(rather than 540.Dq Li abcdef ) 541to represent the hex digits, and the letter 542.Ql P 543(rather than 544.Ql p ) 545to separate the mantissa and exponent. 546.Pp 547Note that there may be multiple valid ways to represent floating-point 548numbers in this hexadecimal format. 549For example, 550.Li 0x1.92p+1 , 0x3.24p+0 , 0x6.48p-1 , 551and 552.Li 0xc.9p-2 553are all equivalent. 554.Fx 8.0 555and later always prints finite non-zero numbers using 556.Ql 1 557as the digit before the hexadecimal point. 558Zeroes are always represented with a mantissa of 0 (preceded by a 559.Ql - 560if appropriate) and an exponent of 561.Li +0 . 562.It Cm C 563Treated as 564.Cm c 565with the 566.Cm l 567(ell) modifier. 568.It Cm c 569The 570.Vt int 571argument is converted to an 572.Vt "unsigned char" , 573and the resulting character is written. 574.Pp 575If the 576.Cm l 577(ell) modifier is used, the 578.Vt wint_t 579argument shall be converted to a 580.Vt wchar_t , 581and the (potentially multi-byte) sequence representing the 582single wide character is written, including any shift sequences. 583If a shift sequence is used, the shift state is also restored 584to the original state after the character. 585.It Cm S 586Treated as 587.Cm s 588with the 589.Cm l 590(ell) modifier. 591.It Cm s 592The 593.Vt "char *" 594argument is expected to be a pointer to an array of character type (pointer 595to a string). 596Characters from the array are written up to (but not including) 597a terminating 598.Dv NUL 599character; 600if a precision is specified, no more than the number specified are 601written. 602If a precision is given, no null character 603need be present; if the precision is not specified, or is greater than 604the size of the array, the array must contain a terminating 605.Dv NUL 606character. 607.Pp 608If the 609.Cm l 610(ell) modifier is used, the 611.Vt "wchar_t *" 612argument is expected to be a pointer to an array of wide characters 613(pointer to a wide string). 614For each wide character in the string, the (potentially multi-byte) 615sequence representing the 616wide character is written, including any shift sequences. 617If any shift sequence is used, the shift state is also restored 618to the original state after the string. 619Wide characters from the array are written up to (but not including) 620a terminating wide 621.Dv NUL 622character; 623if a precision is specified, no more than the number of bytes specified are 624written (including shift sequences). 625Partial characters are never written. 626If a precision is given, no null character 627need be present; if the precision is not specified, or is greater than 628the number of bytes required to render the multibyte representation of 629the string, the array must contain a terminating wide 630.Dv NUL 631character. 632.It Cm p 633The 634.Vt "void *" 635pointer argument is printed in hexadecimal (as if by 636.Ql %#x 637or 638.Ql %#lx ) . 639.It Cm n 640The number of characters written so far is stored into the 641integer indicated by the 642.Vt "int *" 643(or variant) pointer argument. 644No argument is converted. 645.It Cm % 646A 647.Ql % 648is written. 649No argument is converted. 650The complete conversion specification 651is 652.Ql %% . 653.El 654.Pp 655The decimal point 656character is defined in the program's locale (category 657.Dv LC_NUMERIC ) . 658.Pp 659In no case does a non-existent or small field width cause truncation of 660a numeric field; if the result of a conversion is wider than the field 661width, the 662field is expanded to contain the conversion result. 663.Sh RETURN VALUES 664These functions return the number of characters printed 665(not including the trailing 666.Ql \e0 667used to end output to strings), 668except for 669.Fn snprintf 670and 671.Fn vsnprintf , 672which return the number of characters that would have been printed if the 673.Fa size 674were unlimited 675(again, not including the final 676.Ql \e0 ) . 677These functions return a negative value if an error occurs. 678.Sh EXAMPLES 679To print a date and time in the form 680.Dq Li "Sunday, July 3, 10:02" , 681where 682.Fa weekday 683and 684.Fa month 685are pointers to strings: 686.Bd -literal -offset indent 687#include <stdio.h> 688fprintf(stdout, "%s, %s %d, %.2d:%.2d\en", 689 weekday, month, day, hour, min); 690.Ed 691.Pp 692To print \*(Pi 693to five decimal places: 694.Bd -literal -offset indent 695#include <math.h> 696#include <stdio.h> 697fprintf(stdout, "pi = %.5f\en", 4 * atan(1.0)); 698.Ed 699.Pp 700To allocate a 128 byte string and print into it: 701.Bd -literal -offset indent 702#include <stdio.h> 703#include <stdlib.h> 704#include <stdarg.h> 705char *newfmt(const char *fmt, ...) 706{ 707 char *p; 708 va_list ap; 709 if ((p = malloc(128)) == NULL) 710 return (NULL); 711 va_start(ap, fmt); 712 (void) vsnprintf(p, 128, fmt, ap); 713 va_end(ap); 714 return (p); 715} 716.Ed 717.Sh COMPATIBILITY 718Many application writers used the name 719.Va dprintf 720before the 721.Fn dprintf 722function was introduced in 723.St -p1003.1 , 724so a prototype is not provided by default in order to avoid 725compatibility problems. 726Applications that wish to use the 727.Fn dprintf 728function described herein should either request a strict 729.St -p1003.1-2008 730environment by defining the macro 731.Dv _POSIX_C_SOURCE 732to the value 200809 or greater, or by defining the macro 733.Dv _WITH_DPRINTF , 734prior to the inclusion of 735.In stdio.h . 736For compatibility with GNU libc, defining either 737.Dv _BSD_SOURCE 738or 739.Dv _GNU_SOURCE 740prior to the inclusion of 741.In stdio.h 742will also make 743.Fn dprintf 744available. 745.Pp 746The conversion formats 747.Cm \&%D , \&%O , 748and 749.Cm \&%U 750are not standard and 751are provided only for backward compatibility. 752The effect of padding the 753.Cm %p 754format with zeros (either by the 755.Cm 0 756flag or by specifying a precision), and the benign effect (i.e., none) 757of the 758.Cm # 759flag on 760.Cm %n 761and 762.Cm %p 763conversions, as well as other 764nonsensical combinations such as 765.Cm %Ld , 766are not standard; such combinations 767should be avoided. 768.Sh ERRORS 769In addition to the errors documented for the 770.Xr write 2 771system call, the 772.Fn printf 773family of functions may fail if: 774.Bl -tag -width Er 775.It Bq Er EILSEQ 776An invalid wide character code was encountered. 777.It Bq Er ENOMEM 778Insufficient storage space is available. 779.It Bq Er EOVERFLOW 780The 781.Fa size 782argument exceeds 783.Dv INT_MAX + 1 , 784or the return value would be too large to be represented by an 785.Vt int . 786.El 787.Sh SEE ALSO 788.Xr printf 1 , 789.Xr fmtcheck 3 , 790.Xr scanf 3 , 791.Xr setlocale 3 , 792.Xr wprintf 3 793.Sh STANDARDS 794Subject to the caveats noted in the 795.Sx BUGS 796section below, the 797.Fn fprintf , 798.Fn printf , 799.Fn sprintf , 800.Fn vprintf , 801.Fn vfprintf , 802and 803.Fn vsprintf 804functions 805conform to 806.St -ansiC 807and 808.St -isoC-99 . 809With the same reservation, the 810.Fn snprintf 811and 812.Fn vsnprintf 813functions conform to 814.St -isoC-99 , 815while 816.Fn dprintf 817and 818.Fn vdprintf 819conform to 820.St -p1003.1-2008 . 821.Sh HISTORY 822The functions 823.Fn asprintf 824and 825.Fn vasprintf 826first appeared in the 827.Tn GNU C 828library. 829These were implemented by 830.An Peter Wemm Aq peter@FreeBSD.org 831in 832.Fx 2.2 , 833but were later replaced with a different implementation 834from 835.Ox 2.3 836by 837.An Todd C. Miller Aq Todd.Miller@courtesan.com . 838The 839.Fn dprintf 840and 841.Fn vdprintf 842functions were added in 843.Fx 8.0 . 844.Sh BUGS 845The 846.Nm 847family of functions do not correctly handle multibyte characters in the 848.Fa format 849argument. 850.Sh SECURITY CONSIDERATIONS 851The 852.Fn sprintf 853and 854.Fn vsprintf 855functions are easily misused in a manner which enables malicious users 856to arbitrarily change a running program's functionality through 857a buffer overflow attack. 858Because 859.Fn sprintf 860and 861.Fn vsprintf 862assume an infinitely long string, 863callers must be careful not to overflow the actual space; 864this is often hard to assure. 865For safety, programmers should use the 866.Fn snprintf 867interface instead. 868For example: 869.Bd -literal 870void 871foo(const char *arbitrary_string, const char *and_another) 872{ 873 char onstack[8]; 874 875#ifdef BAD 876 /* 877 * This first sprintf is bad behavior. Do not use sprintf! 878 */ 879 sprintf(onstack, "%s, %s", arbitrary_string, and_another); 880#else 881 /* 882 * The following two lines demonstrate better use of 883 * snprintf(). 884 */ 885 snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string, 886 and_another); 887#endif 888} 889.Ed 890.Pp 891The 892.Fn printf 893and 894.Fn sprintf 895family of functions are also easily misused in a manner 896allowing malicious users to arbitrarily change a running program's 897functionality by either causing the program 898to print potentially sensitive data 899.Dq "left on the stack" , 900or causing it to generate a memory fault or bus error 901by dereferencing an invalid pointer. 902.Pp 903.Cm %n 904can be used to write arbitrary data to potentially carefully-selected 905addresses. 906Programmers are therefore strongly advised to never pass untrusted strings 907as the 908.Fa format 909argument, as an attacker can put format specifiers in the string 910to mangle your stack, 911leading to a possible security hole. 912This holds true even if the string was built using a function like 913.Fn snprintf , 914as the resulting string may still contain user-supplied conversion specifiers 915for later interpolation by 916.Fn printf . 917.Pp 918Always use the proper secure idiom: 919.Pp 920.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);" 921