xref: /freebsd/lib/libc/stdio/printf.3 (revision c5fda9bac0325eb8c5b447717862d279006f318f)
1.\" Copyright (c) 1990, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" This code is derived from software contributed to Berkeley by
5.\" Chris Torek and the American National Standards Committee X3,
6.\" on Information Processing Systems.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\"    notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\"    notice, this list of conditions and the following disclaimer in the
15.\"    documentation and/or other materials provided with the distribution.
16.\" 3. Neither the name of the University nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\"     @(#)printf.3	8.1 (Berkeley) 6/4/93
33.\" $FreeBSD$
34.\"
35.Dd May 22, 2018
36.Dt PRINTF 3
37.Os
38.Sh NAME
39.Nm printf ,
40.Nm fprintf ,
41.Nm sprintf ,
42.Nm snprintf ,
43.Nm asprintf ,
44.Nm dprintf ,
45.Nm vprintf ,
46.Nm vfprintf ,
47.Nm vsprintf ,
48.Nm vsnprintf ,
49.Nm vasprintf ,
50.Nm vdprintf
51.Nd formatted output conversion
52.Sh LIBRARY
53.Lb libc
54.Sh SYNOPSIS
55.In stdio.h
56.Ft int
57.Fn printf "const char * restrict format" ...
58.Ft int
59.Fn fprintf "FILE * restrict stream" "const char * restrict format" ...
60.Ft int
61.Fn sprintf "char * restrict str" "const char * restrict format" ...
62.Ft int
63.Fn snprintf "char * restrict str" "size_t size" "const char * restrict format" ...
64.Ft int
65.Fn asprintf "char **ret" "const char *format" ...
66.Ft int
67.Fn dprintf "int fd" "const char * restrict format" ...
68.In stdarg.h
69.Ft int
70.Fn vprintf "const char * restrict format" "va_list ap"
71.Ft int
72.Fn vfprintf "FILE * restrict stream" "const char * restrict format" "va_list ap"
73.Ft int
74.Fn vsprintf "char * restrict str" "const char * restrict format" "va_list ap"
75.Ft int
76.Fn vsnprintf "char * restrict str" "size_t size" "const char * restrict format" "va_list ap"
77.Ft int
78.Fn vasprintf "char **ret" "const char *format" "va_list ap"
79.Ft int
80.Fn vdprintf "int fd" "const char * restrict format" "va_list ap"
81.Sh DESCRIPTION
82The
83.Fn printf
84family of functions produces output according to a
85.Fa format
86as described below.
87The
88.Fn printf
89and
90.Fn vprintf
91functions
92write output to
93.Dv stdout ,
94the standard output stream;
95.Fn fprintf
96and
97.Fn vfprintf
98write output to the given output
99.Fa stream ;
100.Fn dprintf
101and
102.Fn vdprintf
103write output to the given file descriptor;
104.Fn sprintf ,
105.Fn snprintf ,
106.Fn vsprintf ,
107and
108.Fn vsnprintf
109write to the character string
110.Fa str ;
111and
112.Fn asprintf
113and
114.Fn vasprintf
115dynamically allocate a new string with
116.Xr malloc 3 .
117.Pp
118These functions write the output under the control of a
119.Fa format
120string that specifies how subsequent arguments
121(or arguments accessed via the variable-length argument facilities of
122.Xr stdarg 3 )
123are converted for output.
124.Pp
125The
126.Fn asprintf
127and
128.Fn vasprintf
129functions
130set
131.Fa *ret
132to be a pointer to a buffer sufficiently large to hold the formatted string.
133This pointer should be passed to
134.Xr free 3
135to release the allocated storage when it is no longer needed.
136If sufficient space cannot be allocated,
137.Fn asprintf
138and
139.Fn vasprintf
140will return \-1 and set
141.Fa ret
142to be a
143.Dv NULL
144pointer.
145.Pp
146The
147.Fn snprintf
148and
149.Fn vsnprintf
150functions
151will write at most
152.Fa size Ns \-1
153of the characters printed into the output string
154(the
155.Fa size Ns 'th
156character then gets the terminating
157.Ql \e0 ) ;
158if the return value is greater than or equal to the
159.Fa size
160argument, the string was too short
161and some of the printed characters were discarded.
162The output is always null-terminated, unless
163.Fa size
164is 0.
165.Pp
166The
167.Fn sprintf
168and
169.Fn vsprintf
170functions
171effectively assume a
172.Fa size
173of
174.Dv INT_MAX + 1.
175.Pp
176The format string is composed of zero or more directives:
177ordinary
178.\" multibyte
179characters (not
180.Cm % ) ,
181which are copied unchanged to the output stream;
182and conversion specifications, each of which results
183in fetching zero or more subsequent arguments.
184Each conversion specification is introduced by
185the
186.Cm %
187character.
188The arguments must correspond properly (after type promotion)
189with the conversion specifier.
190After the
191.Cm % ,
192the following appear in sequence:
193.Bl -bullet
194.It
195An optional field, consisting of a decimal digit string followed by a
196.Cm $ ,
197specifying the next argument to access.
198If this field is not provided, the argument following the last
199argument accessed will be used.
200Arguments are numbered starting at
201.Cm 1 .
202If unaccessed arguments in the format string are interspersed with ones that
203are accessed the results will be indeterminate.
204.It
205Zero or more of the following flags:
206.Bl -tag -width ".So \  Sc (space)"
207.It Sq Cm #
208The value should be converted to an
209.Dq alternate form .
210For
211.Cm c , d , i , n , p , s ,
212and
213.Cm u
214conversions, this option has no effect.
215For
216.Cm o
217conversions, the precision of the number is increased to force the first
218character of the output string to a zero.
219For
220.Cm x
221and
222.Cm X
223conversions, a non-zero result has the string
224.Ql 0x
225(or
226.Ql 0X
227for
228.Cm X
229conversions) prepended to it.
230For
231.Cm a , A , e , E , f , F , g ,
232and
233.Cm G
234conversions, the result will always contain a decimal point, even if no
235digits follow it (normally, a decimal point appears in the results of
236those conversions only if a digit follows).
237For
238.Cm g
239and
240.Cm G
241conversions, trailing zeros are not removed from the result as they
242would otherwise be.
243.It So Cm 0 Sc (zero)
244Zero padding.
245For all conversions except
246.Cm n ,
247the converted value is padded on the left with zeros rather than blanks.
248If a precision is given with a numeric conversion
249.Cm ( d , i , o , u , i , x ,
250and
251.Cm X ) ,
252the
253.Cm 0
254flag is ignored.
255.It Sq Cm \-
256A negative field width flag;
257the converted value is to be left adjusted on the field boundary.
258Except for
259.Cm n
260conversions, the converted value is padded on the right with blanks,
261rather than on the left with blanks or zeros.
262A
263.Cm \-
264overrides a
265.Cm 0
266if both are given.
267.It So "\ " Sc (space)
268A blank should be left before a positive number
269produced by a signed conversion
270.Cm ( a , A , d , e , E , f , F , g , G ,
271or
272.Cm i ) .
273.It Sq Cm +
274A sign must always be placed before a
275number produced by a signed conversion.
276A
277.Cm +
278overrides a space if both are used.
279.It So "'" Sc (apostrophe)
280Decimal conversions
281.Cm ( d , u ,
282or
283.Cm i )
284or the integral portion of a floating point conversion
285.Cm ( f
286or
287.Cm F )
288should be grouped and separated by thousands using
289the non-monetary separator returned by
290.Xr localeconv 3 .
291.El
292.It
293An optional decimal digit string specifying a minimum field width.
294If the converted value has fewer characters than the field width, it will
295be padded with spaces on the left (or right, if the left-adjustment
296flag has been given) to fill out
297the field width.
298.It
299An optional precision, in the form of a period
300.Cm \&.
301followed by an
302optional digit string.
303If the digit string is omitted, the precision is taken as zero.
304This gives the minimum number of digits to appear for
305.Cm d , i , o , u , x ,
306and
307.Cm X
308conversions, the number of digits to appear after the decimal-point for
309.Cm a , A , e , E , f ,
310and
311.Cm F
312conversions, the maximum number of significant digits for
313.Cm g
314and
315.Cm G
316conversions, or the maximum number of characters to be printed from a
317string for
318.Cm s
319conversions.
320.It
321An optional length modifier, that specifies the size of the argument.
322The following length modifiers are valid for the
323.Cm d , i , n , o , u , x ,
324or
325.Cm X
326conversion:
327.Bl -column ".Cm q Em (deprecated)" ".Vt signed char" ".Vt unsigned long long" ".Vt long long *"
328.It Sy Modifier Ta Cm d , i Ta Cm o , u , x , X Ta Cm n
329.It Cm hh Ta Vt "signed char" Ta Vt "unsigned char" Ta Vt "signed char *"
330.It Cm h Ta Vt short Ta Vt "unsigned short" Ta Vt "short *"
331.It Cm l No (ell) Ta Vt long Ta Vt "unsigned long" Ta Vt "long *"
332.It Cm ll No (ell ell) Ta Vt "long long" Ta Vt "unsigned long long" Ta Vt "long long *"
333.It Cm j Ta Vt intmax_t Ta Vt uintmax_t Ta Vt "intmax_t *"
334.It Cm t Ta Vt ptrdiff_t Ta (see note) Ta Vt "ptrdiff_t *"
335.It Cm z Ta (see note) Ta Vt size_t Ta (see note)
336.It Cm q Em (deprecated) Ta Vt quad_t Ta Vt u_quad_t Ta Vt "quad_t *"
337.El
338.Pp
339Note:
340the
341.Cm t
342modifier, when applied to a
343.Cm o , u , x ,
344or
345.Cm X
346conversion, indicates that the argument is of an unsigned type
347equivalent in size to a
348.Vt ptrdiff_t .
349The
350.Cm z
351modifier, when applied to a
352.Cm d
353or
354.Cm i
355conversion, indicates that the argument is of a signed type equivalent in
356size to a
357.Vt size_t .
358Similarly, when applied to an
359.Cm n
360conversion, it indicates that the argument is a pointer to a signed type
361equivalent in size to a
362.Vt size_t .
363.Pp
364The following length modifier is valid for the
365.Cm a , A , e , E , f , F , g ,
366or
367.Cm G
368conversion:
369.Bl -column ".Sy Modifier" ".Cm a , A , e , E , f , F , g , G"
370.It Sy Modifier Ta Cm a , A , e , E , f , F , g , G
371.It Cm l No (ell) Ta Vt double
372(ignored, same behavior as without it)
373.It Cm L Ta Vt "long double"
374.El
375.Pp
376The following length modifier is valid for the
377.Cm c
378or
379.Cm s
380conversion:
381.Bl -column ".Sy Modifier" ".Vt wint_t" ".Vt wchar_t *"
382.It Sy Modifier Ta Cm c Ta Cm s
383.It Cm l No (ell) Ta Vt wint_t Ta Vt "wchar_t *"
384.El
385.It
386A character that specifies the type of conversion to be applied.
387.El
388.Pp
389A field width or precision, or both, may be indicated by
390an asterisk
391.Ql *
392or an asterisk followed by one or more decimal digits and a
393.Ql $
394instead of a
395digit string.
396In this case, an
397.Vt int
398argument supplies the field width or precision.
399A negative field width is treated as a left adjustment flag followed by a
400positive field width; a negative precision is treated as though it were
401missing.
402If a single format directive mixes positional
403.Pq Li nn$
404and non-positional arguments, the results are undefined.
405.Pp
406The conversion specifiers and their meanings are:
407.Bl -tag -width ".Cm diouxX"
408.It Cm diouxX
409The
410.Vt int
411(or appropriate variant) argument is converted to signed decimal
412.Cm ( d
413and
414.Cm i ) ,
415unsigned octal
416.Pq Cm o ,
417unsigned decimal
418.Pq Cm u ,
419or unsigned hexadecimal
420.Cm ( x
421and
422.Cm X )
423notation.
424The letters
425.Dq Li abcdef
426are used for
427.Cm x
428conversions; the letters
429.Dq Li ABCDEF
430are used for
431.Cm X
432conversions.
433The precision, if any, gives the minimum number of digits that must
434appear; if the converted value requires fewer digits, it is padded on
435the left with zeros.
436.It Cm DOU
437The
438.Vt "long int"
439argument is converted to signed decimal, unsigned octal, or unsigned
440decimal, as if the format had been
441.Cm ld , lo ,
442or
443.Cm lu
444respectively.
445These conversion characters are deprecated, and will eventually disappear.
446.It Cm eE
447The
448.Vt double
449argument is rounded and converted in the style
450.Sm off
451.Oo \- Oc Ar d Li \&. Ar ddd Li e \(+- Ar dd
452.Sm on
453where there is one digit before the
454decimal-point character
455and the number of digits after it is equal to the precision;
456if the precision is missing,
457it is taken as 6; if the precision is
458zero, no decimal-point character appears.
459An
460.Cm E
461conversion uses the letter
462.Ql E
463(rather than
464.Ql e )
465to introduce the exponent.
466The exponent always contains at least two digits; if the value is zero,
467the exponent is 00.
468.Pp
469For
470.Cm a , A , e , E , f , F , g ,
471and
472.Cm G
473conversions, positive and negative infinity are represented as
474.Li inf
475and
476.Li -inf
477respectively when using the lowercase conversion character, and
478.Li INF
479and
480.Li -INF
481respectively when using the uppercase conversion character.
482Similarly, NaN is represented as
483.Li nan
484when using the lowercase conversion, and
485.Li NAN
486when using the uppercase conversion.
487.It Cm fF
488The
489.Vt double
490argument is rounded and converted to decimal notation in the style
491.Sm off
492.Oo \- Oc Ar ddd Li \&. Ar ddd ,
493.Sm on
494where the number of digits after the decimal-point character
495is equal to the precision specification.
496If the precision is missing, it is taken as 6; if the precision is
497explicitly zero, no decimal-point character appears.
498If a decimal point appears, at least one digit appears before it.
499.It Cm gG
500The
501.Vt double
502argument is converted in style
503.Cm f
504or
505.Cm e
506(or
507.Cm F
508or
509.Cm E
510for
511.Cm G
512conversions).
513The precision specifies the number of significant digits.
514If the precision is missing, 6 digits are given; if the precision is zero,
515it is treated as 1.
516Style
517.Cm e
518is used if the exponent from its conversion is less than \-4 or greater than
519or equal to the precision.
520Trailing zeros are removed from the fractional part of the result; a
521decimal point appears only if it is followed by at least one digit.
522.It Cm aA
523The
524.Vt double
525argument is rounded and converted to hexadecimal notation in the style
526.Sm off
527.Oo \- Oc Li 0x Ar h Li \&. Ar hhhp Oo \(+- Oc Ar d ,
528.Sm on
529where the number of digits after the hexadecimal-point character
530is equal to the precision specification.
531If the precision is missing, it is taken as enough to represent
532the floating-point number exactly, and no rounding occurs.
533If the precision is zero, no hexadecimal-point character appears.
534The
535.Cm p
536is a literal character
537.Ql p ,
538and the exponent consists of a positive or negative sign
539followed by a decimal number representing an exponent of 2.
540The
541.Cm A
542conversion uses the prefix
543.Dq Li 0X
544(rather than
545.Dq Li 0x ) ,
546the letters
547.Dq Li ABCDEF
548(rather than
549.Dq Li abcdef )
550to represent the hex digits, and the letter
551.Ql P
552(rather than
553.Ql p )
554to separate the mantissa and exponent.
555.Pp
556Note that there may be multiple valid ways to represent floating-point
557numbers in this hexadecimal format.
558For example,
559.Li 0x1.92p+1 , 0x3.24p+0 , 0x6.48p-1 ,
560and
561.Li 0xc.9p-2
562are all equivalent.
563.Fx 8.0
564and later always prints finite non-zero numbers using
565.Ql 1
566as the digit before the hexadecimal point.
567Zeroes are always represented with a mantissa of 0 (preceded by a
568.Ql -
569if appropriate) and an exponent of
570.Li +0 .
571.It Cm C
572Treated as
573.Cm c
574with the
575.Cm l
576(ell) modifier.
577.It Cm c
578The
579.Vt int
580argument is converted to an
581.Vt "unsigned char" ,
582and the resulting character is written.
583.Pp
584If the
585.Cm l
586(ell) modifier is used, the
587.Vt wint_t
588argument shall be converted to a
589.Vt wchar_t ,
590and the (potentially multi-byte) sequence representing the
591single wide character is written, including any shift sequences.
592If a shift sequence is used, the shift state is also restored
593to the original state after the character.
594.It Cm S
595Treated as
596.Cm s
597with the
598.Cm l
599(ell) modifier.
600.It Cm s
601The
602.Vt "char *"
603argument is expected to be a pointer to an array of character type (pointer
604to a string).
605Characters from the array are written up to (but not including)
606a terminating
607.Dv NUL
608character;
609if a precision is specified, no more than the number specified are
610written.
611If a precision is given, no null character
612need be present; if the precision is not specified, or is greater than
613the size of the array, the array must contain a terminating
614.Dv NUL
615character.
616.Pp
617If the
618.Cm l
619(ell) modifier is used, the
620.Vt "wchar_t *"
621argument is expected to be a pointer to an array of wide characters
622(pointer to a wide string).
623For each wide character in the string, the (potentially multi-byte)
624sequence representing the
625wide character is written, including any shift sequences.
626If any shift sequence is used, the shift state is also restored
627to the original state after the string.
628Wide characters from the array are written up to (but not including)
629a terminating wide
630.Dv NUL
631character;
632if a precision is specified, no more than the number of bytes specified are
633written (including shift sequences).
634Partial characters are never written.
635If a precision is given, no null character
636need be present; if the precision is not specified, or is greater than
637the number of bytes required to render the multibyte representation of
638the string, the array must contain a terminating wide
639.Dv NUL
640character.
641.It Cm p
642The
643.Vt "void *"
644pointer argument is printed in hexadecimal (as if by
645.Ql %#x
646or
647.Ql %#lx ) .
648.It Cm n
649The number of characters written so far is stored into the
650integer indicated by the
651.Vt "int *"
652(or variant) pointer argument.
653No argument is converted.
654.It Cm m
655Print the string representation of the error code stored in the
656.Dv errno
657variable at the beginning of the call, as returned by
658.Xr strerror 3 .
659No argument is taken.
660.It Cm %
661A
662.Ql %
663is written.
664No argument is converted.
665The complete conversion specification
666is
667.Ql %% .
668.El
669.Pp
670The decimal point
671character is defined in the program's locale (category
672.Dv LC_NUMERIC ) .
673.Pp
674In no case does a non-existent or small field width cause truncation of
675a numeric field; if the result of a conversion is wider than the field
676width, the
677field is expanded to contain the conversion result.
678.Sh RETURN VALUES
679These functions return the number of characters printed
680(not including the trailing
681.Ql \e0
682used to end output to strings),
683except for
684.Fn snprintf
685and
686.Fn vsnprintf ,
687which return the number of characters that would have been printed if the
688.Fa size
689were unlimited
690(again, not including the final
691.Ql \e0 ) .
692These functions return a negative value if an error occurs.
693.Sh EXAMPLES
694To print a date and time in the form
695.Dq Li "Sunday, July 3, 10:02" ,
696where
697.Fa weekday
698and
699.Fa month
700are pointers to strings:
701.Bd -literal -offset indent
702#include <stdio.h>
703fprintf(stdout, "%s, %s %d, %.2d:%.2d\en",
704	weekday, month, day, hour, min);
705.Ed
706.Pp
707To print \*(Pi
708to five decimal places:
709.Bd -literal -offset indent
710#include <math.h>
711#include <stdio.h>
712fprintf(stdout, "pi = %.5f\en", 4 * atan(1.0));
713.Ed
714.Pp
715To allocate a 128 byte string and print into it:
716.Bd -literal -offset indent
717#include <stdio.h>
718#include <stdlib.h>
719#include <stdarg.h>
720char *newfmt(const char *fmt, ...)
721{
722	char *p;
723	va_list ap;
724	if ((p = malloc(128)) == NULL)
725		return (NULL);
726	va_start(ap, fmt);
727	(void) vsnprintf(p, 128, fmt, ap);
728	va_end(ap);
729	return (p);
730}
731.Ed
732.Sh COMPATIBILITY
733The conversion formats
734.Cm \&%D , \&%O ,
735and
736.Cm \&%U
737are not standard and
738are provided only for backward compatibility.
739The conversion format
740.Cm \&%m
741is also not standard and provides the popular extension from the
742.Tn GNU C
743library.
744.Pp
745The effect of padding the
746.Cm %p
747format with zeros (either by the
748.Cm 0
749flag or by specifying a precision), and the benign effect (i.e., none)
750of the
751.Cm #
752flag on
753.Cm %n
754and
755.Cm %p
756conversions, as well as other
757nonsensical combinations such as
758.Cm %Ld ,
759are not standard; such combinations
760should be avoided.
761.Sh ERRORS
762In addition to the errors documented for the
763.Xr write 2
764system call, the
765.Fn printf
766family of functions may fail if:
767.Bl -tag -width Er
768.It Bq Er EILSEQ
769An invalid wide character code was encountered.
770.It Bq Er ENOMEM
771Insufficient storage space is available.
772.It Bq Er EOVERFLOW
773The
774.Fa size
775argument exceeds
776.Dv INT_MAX + 1 ,
777or the return value would be too large to be represented by an
778.Vt int .
779.El
780.Sh SEE ALSO
781.Xr printf 1 ,
782.Xr errno 2 ,
783.Xr fmtcheck 3 ,
784.Xr scanf 3 ,
785.Xr setlocale 3 ,
786.Xr strerror 3 ,
787.Xr wprintf 3
788.Sh STANDARDS
789Subject to the caveats noted in the
790.Sx BUGS
791section below, the
792.Fn fprintf ,
793.Fn printf ,
794.Fn sprintf ,
795.Fn vprintf ,
796.Fn vfprintf ,
797and
798.Fn vsprintf
799functions
800conform to
801.St -ansiC
802and
803.St -isoC-99 .
804With the same reservation, the
805.Fn snprintf
806and
807.Fn vsnprintf
808functions conform to
809.St -isoC-99 ,
810while
811.Fn dprintf
812and
813.Fn vdprintf
814conform to
815.St -p1003.1-2008 .
816.Sh HISTORY
817The functions
818.Fn asprintf
819and
820.Fn vasprintf
821first appeared in the
822.Tn GNU C
823library.
824These were implemented by
825.An Peter Wemm Aq Mt peter@FreeBSD.org
826in
827.Fx 2.2 ,
828but were later replaced with a different implementation
829from
830.Ox 2.3
831by
832.An Todd C. Miller Aq Mt Todd.Miller@courtesan.com .
833The
834.Fn dprintf
835and
836.Fn vdprintf
837functions were added in
838.Fx 8.0 .
839The
840.Cm \&%m
841format extension first appeared in the
842.Tn GNU C
843library, and was implemented in
844.Fx 12.0 .
845.Sh BUGS
846The
847.Nm
848family of functions do not correctly handle multibyte characters in the
849.Fa format
850argument.
851.Sh SECURITY CONSIDERATIONS
852The
853.Fn sprintf
854and
855.Fn vsprintf
856functions are easily misused in a manner which enables malicious users
857to arbitrarily change a running program's functionality through
858a buffer overflow attack.
859Because
860.Fn sprintf
861and
862.Fn vsprintf
863assume an infinitely long string,
864callers must be careful not to overflow the actual space;
865this is often hard to assure.
866For safety, programmers should use the
867.Fn snprintf
868interface instead.
869For example:
870.Bd -literal
871void
872foo(const char *arbitrary_string, const char *and_another)
873{
874	char onstack[8];
875
876#ifdef BAD
877	/*
878	 * This first sprintf is bad behavior.  Do not use sprintf!
879	 */
880	sprintf(onstack, "%s, %s", arbitrary_string, and_another);
881#else
882	/*
883	 * The following two lines demonstrate better use of
884	 * snprintf().
885	 */
886	snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string,
887	    and_another);
888#endif
889}
890.Ed
891.Pp
892The
893.Fn printf
894and
895.Fn sprintf
896family of functions are also easily misused in a manner
897allowing malicious users to arbitrarily change a running program's
898functionality by either causing the program
899to print potentially sensitive data
900.Dq "left on the stack" ,
901or causing it to generate a memory fault or bus error
902by dereferencing an invalid pointer.
903.Pp
904.Cm %n
905can be used to write arbitrary data to potentially carefully-selected
906addresses.
907Programmers are therefore strongly advised to never pass untrusted strings
908as the
909.Fa format
910argument, as an attacker can put format specifiers in the string
911to mangle your stack,
912leading to a possible security hole.
913This holds true even if the string was built using a function like
914.Fn snprintf ,
915as the resulting string may still contain user-supplied conversion specifiers
916for later interpolation by
917.Fn printf .
918.Pp
919Always use the proper secure idiom:
920.Pp
921.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);"
922