1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" This code is derived from software contributed to Berkeley by 5.\" Chris Torek and the American National Standards Committee X3, 6.\" on Information Processing Systems. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 3. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.Dd September 5, 2023 33.Dt PRINTF 3 34.Os 35.Sh NAME 36.Nm printf , 37.Nm fprintf , 38.Nm sprintf , 39.Nm snprintf , 40.Nm asprintf , 41.Nm dprintf , 42.Nm vprintf , 43.Nm vfprintf , 44.Nm vsprintf , 45.Nm vsnprintf , 46.Nm vasprintf , 47.Nm vdprintf 48.Nd formatted output conversion 49.Sh LIBRARY 50.Lb libc 51.Sh SYNOPSIS 52.In stdio.h 53.Ft int 54.Fn printf "const char * restrict format" ... 55.Ft int 56.Fn fprintf "FILE * restrict stream" "const char * restrict format" ... 57.Ft int 58.Fn sprintf "char * restrict str" "const char * restrict format" ... 59.Ft int 60.Fn snprintf "char * restrict str" "size_t size" "const char * restrict format" ... 61.Ft int 62.Fn asprintf "char **ret" "const char *format" ... 63.Ft int 64.Fn dprintf "int fd" "const char * restrict format" ... 65.In stdarg.h 66.Ft int 67.Fn vprintf "const char * restrict format" "va_list ap" 68.Ft int 69.Fn vfprintf "FILE * restrict stream" "const char * restrict format" "va_list ap" 70.Ft int 71.Fn vsprintf "char * restrict str" "const char * restrict format" "va_list ap" 72.Ft int 73.Fn vsnprintf "char * restrict str" "size_t size" "const char * restrict format" "va_list ap" 74.Ft int 75.Fn vasprintf "char **ret" "const char *format" "va_list ap" 76.Ft int 77.Fn vdprintf "int fd" "const char * restrict format" "va_list ap" 78.Sh DESCRIPTION 79The 80.Fn printf 81family of functions produces output according to a 82.Fa format 83as described below. 84The 85.Fn printf 86and 87.Fn vprintf 88functions 89write output to 90.Dv stdout , 91the standard output stream; 92.Fn fprintf 93and 94.Fn vfprintf 95write output to the given output 96.Fa stream ; 97.Fn dprintf 98and 99.Fn vdprintf 100write output to the given file descriptor; 101.Fn sprintf , 102.Fn snprintf , 103.Fn vsprintf , 104and 105.Fn vsnprintf 106write to the character string 107.Fa str ; 108and 109.Fn asprintf 110and 111.Fn vasprintf 112dynamically allocate a new string with 113.Xr malloc 3 . 114.Pp 115These functions write the output under the control of a 116.Fa format 117string that specifies how subsequent arguments 118(or arguments accessed via the variable-length argument facilities of 119.Xr stdarg 3 ) 120are converted for output. 121.Pp 122The 123.Fn asprintf 124and 125.Fn vasprintf 126functions 127set 128.Fa *ret 129to be a pointer to a buffer sufficiently large to hold the formatted string. 130This pointer should be passed to 131.Xr free 3 132to release the allocated storage when it is no longer needed. 133If sufficient space cannot be allocated, 134.Fn asprintf 135and 136.Fn vasprintf 137will return \-1 and set 138.Fa ret 139to be a 140.Dv NULL 141pointer. 142.Pp 143The 144.Fn snprintf 145and 146.Fn vsnprintf 147functions 148will write at most 149.Fa size Ns \-1 150of the characters printed into the output string 151(the 152.Fa size Ns 'th 153character then gets the terminating 154.Ql \e0 ) ; 155if the return value is greater than or equal to the 156.Fa size 157argument, the string was too short 158and some of the printed characters were discarded. 159The output is always null-terminated, unless 160.Fa size 161is 0. 162.Pp 163The 164.Fn sprintf 165and 166.Fn vsprintf 167functions 168effectively assume a 169.Fa size 170of 171.Dv INT_MAX + 1. 172.Pp 173The format string is composed of zero or more directives: 174ordinary 175.\" multibyte 176characters (not 177.Cm % ) , 178which are copied unchanged to the output stream; 179and conversion specifications, each of which results 180in fetching zero or more subsequent arguments. 181Each conversion specification is introduced by 182the 183.Cm % 184character. 185The arguments must correspond properly (after type promotion) 186with the conversion specifier. 187After the 188.Cm % , 189the following appear in sequence: 190.Bl -bullet 191.It 192An optional field, consisting of a decimal digit string followed by a 193.Cm $ , 194specifying the next argument to access. 195If this field is not provided, the argument following the last 196argument accessed will be used. 197Arguments are numbered starting at 198.Cm 1 . 199If unaccessed arguments in the format string are interspersed with ones that 200are accessed the results will be indeterminate. 201.It 202Zero or more of the following flags: 203.Bl -tag -width ".So \ Sc (space)" 204.It Sq Cm # 205The value should be converted to an 206.Dq alternate form . 207For 208.Cm c , d , i , n , p , s , 209and 210.Cm u 211conversions, this option has no effect. 212For 213.Cm b 214and 215.Cm B 216conversions, a non-zero result has the string 217.Ql 0b 218(or 219.Ql 0B 220for 221.Cm B 222conversions) prepended to it. 223For 224.Cm o 225conversions, the precision of the number is increased to force the first 226character of the output string to a zero. 227For 228.Cm x 229and 230.Cm X 231conversions, a non-zero result has the string 232.Ql 0x 233(or 234.Ql 0X 235for 236.Cm X 237conversions) prepended to it. 238For 239.Cm a , A , e , E , f , F , g , 240and 241.Cm G 242conversions, the result will always contain a decimal point, even if no 243digits follow it (normally, a decimal point appears in the results of 244those conversions only if a digit follows). 245For 246.Cm g 247and 248.Cm G 249conversions, trailing zeros are not removed from the result as they 250would otherwise be. 251.It So Cm 0 Sc (zero) 252Zero padding. 253For all conversions except 254.Cm n , 255the converted value is padded on the left with zeros rather than blanks. 256If a precision is given with a numeric conversion 257.Cm ( b , B , d , i , o , u , i , x , 258and 259.Cm X ) , 260the 261.Cm 0 262flag is ignored. 263.It Sq Cm \- 264A negative field width flag; 265the converted value is to be left adjusted on the field boundary. 266Except for 267.Cm n 268conversions, the converted value is padded on the right with blanks, 269rather than on the left with blanks or zeros. 270A 271.Cm \- 272overrides a 273.Cm 0 274if both are given. 275.It So "\ " Sc (space) 276A blank should be left before a positive number 277produced by a signed conversion 278.Cm ( a , A , d , e , E , f , F , g , G , 279or 280.Cm i ) . 281.It Sq Cm + 282A sign must always be placed before a 283number produced by a signed conversion. 284A 285.Cm + 286overrides a space if both are used. 287.It So "'" Sc (apostrophe) 288Decimal conversions 289.Cm ( d , u , 290or 291.Cm i ) 292or the integral portion of a floating point conversion 293.Cm ( f 294or 295.Cm F ) 296should be grouped and separated by thousands using 297the non-monetary separator returned by 298.Xr localeconv 3 . 299.El 300.It 301An optional decimal digit string specifying a minimum field width. 302If the converted value has fewer characters than the field width, it will 303be padded with spaces on the left (or right, if the left-adjustment 304flag has been given) to fill out 305the field width. 306.It 307An optional precision, in the form of a period 308.Cm \&. 309followed by an 310optional digit string. 311If the digit string is omitted, the precision is taken as zero. 312This gives the minimum number of digits to appear for 313.Cm b , B , d , i , o , u , x , 314and 315.Cm X 316conversions, the number of digits to appear after the decimal-point for 317.Cm a , A , e , E , f , 318and 319.Cm F 320conversions, the maximum number of significant digits for 321.Cm g 322and 323.Cm G 324conversions, or the maximum number of characters to be printed from a 325string for 326.Cm s 327conversions. 328.It 329An optional length modifier, that specifies the size of the argument. 330The following length modifiers are valid for the 331.Cm b , B , d , i , n , o , u , x , 332or 333.Cm X 334conversion: 335.Bl -column ".Cm q Em (deprecated)" ".Vt signed char" ".Vt unsigned long long" ".Vt long long *" 336.It Sy Modifier Ta Cm d , i Ta Cm b , B , o , u , x , X Ta Cm n 337.It Cm hh Ta Vt "signed char" Ta Vt "unsigned char" Ta Vt "signed char *" 338.It Cm h Ta Vt short Ta Vt "unsigned short" Ta Vt "short *" 339.It Cm l No (ell) Ta Vt long Ta Vt "unsigned long" Ta Vt "long *" 340.It Cm ll No (ell ell) Ta Vt "long long" Ta Vt "unsigned long long" Ta Vt "long long *" 341.It Cm j Ta Vt intmax_t Ta Vt uintmax_t Ta Vt "intmax_t *" 342.It Cm t Ta Vt ptrdiff_t Ta (see note) Ta Vt "ptrdiff_t *" 343.It Cm w Ns Ar N Ta Vt intN_t Ta Vt uintN_t Ta Vt "intN_t *" 344.It Cm wf Ns Ar N Ta Vt int_fastN_t Ta Vt uint_fastN_t Ta Vt "int_fastN_t *" 345.It Cm z Ta (see note) Ta Vt size_t Ta (see note) 346.It Cm q Em (deprecated) Ta Vt quad_t Ta Vt u_quad_t Ta Vt "quad_t *" 347.El 348.Pp 349Note: 350the 351.Cm t 352modifier, when applied to a 353.Cm b , B , o , u , x , 354or 355.Cm X 356conversion, indicates that the argument is of an unsigned type 357equivalent in size to a 358.Vt ptrdiff_t . 359The 360.Cm z 361modifier, when applied to a 362.Cm d 363or 364.Cm i 365conversion, indicates that the argument is of a signed type equivalent in 366size to a 367.Vt size_t . 368Similarly, when applied to an 369.Cm n 370conversion, it indicates that the argument is a pointer to a signed type 371equivalent in size to a 372.Vt size_t . 373.Pp 374The following length modifier is valid for the 375.Cm a , A , e , E , f , F , g , 376or 377.Cm G 378conversion: 379.Bl -column ".Sy Modifier" ".Cm a , A , e , E , f , F , g , G" 380.It Sy Modifier Ta Cm a , A , e , E , f , F , g , G 381.It Cm l No (ell) Ta Vt double 382(ignored, same behavior as without it) 383.It Cm L Ta Vt "long double" 384.El 385.Pp 386The following length modifier is valid for the 387.Cm c 388or 389.Cm s 390conversion: 391.Bl -column ".Sy Modifier" ".Vt wint_t" ".Vt wchar_t *" 392.It Sy Modifier Ta Cm c Ta Cm s 393.It Cm l No (ell) Ta Vt wint_t Ta Vt "wchar_t *" 394.El 395.It 396A character that specifies the type of conversion to be applied. 397.El 398.Pp 399A field width or precision, or both, may be indicated by 400an asterisk 401.Ql * 402or an asterisk followed by one or more decimal digits and a 403.Ql $ 404instead of a 405digit string. 406In this case, an 407.Vt int 408argument supplies the field width or precision. 409A negative field width is treated as a left adjustment flag followed by a 410positive field width; a negative precision is treated as though it were 411missing. 412If a single format directive mixes positional 413.Pq Li nn$ 414and non-positional arguments, the results are undefined. 415.Pp 416The conversion specifiers and their meanings are: 417.Bl -tag -width ".Cm bBdiouxX" 418.It Cm bBdiouxX 419The 420.Vt int 421(or appropriate variant) argument is converted to 422unsigned binary 423.Cm ( b 424and 425.Cm B ) , 426signed decimal 427.Cm ( d 428and 429.Cm i ) , 430unsigned octal 431.Pq Cm o , 432unsigned decimal 433.Pq Cm u , 434or unsigned hexadecimal 435.Cm ( x 436and 437.Cm X ) 438notation. 439The letters 440.Dq Li abcdef 441are used for 442.Cm x 443conversions; the letters 444.Dq Li ABCDEF 445are used for 446.Cm X 447conversions. 448The precision, if any, gives the minimum number of digits that must 449appear; if the converted value requires fewer digits, it is padded on 450the left with zeros. 451.It Cm DOU 452The 453.Vt "long int" 454argument is converted to signed decimal, unsigned octal, or unsigned 455decimal, as if the format had been 456.Cm ld , lo , 457or 458.Cm lu 459respectively. 460These conversion characters are deprecated, and will eventually disappear. 461.It Cm eE 462The 463.Vt double 464argument is rounded and converted in the style 465.Sm off 466.Oo \- Oc Ar d Li \&. Ar ddd Li e \(+- Ar dd 467.Sm on 468where there is one digit before the 469decimal-point character 470and the number of digits after it is equal to the precision; 471if the precision is missing, 472it is taken as 6; if the precision is 473zero, no decimal-point character appears. 474An 475.Cm E 476conversion uses the letter 477.Ql E 478(rather than 479.Ql e ) 480to introduce the exponent. 481The exponent always contains at least two digits; if the value is zero, 482the exponent is 00. 483.Pp 484For 485.Cm a , A , e , E , f , F , g , 486and 487.Cm G 488conversions, positive and negative infinity are represented as 489.Li inf 490and 491.Li -inf 492respectively when using the lowercase conversion character, and 493.Li INF 494and 495.Li -INF 496respectively when using the uppercase conversion character. 497Similarly, NaN is represented as 498.Li nan 499when using the lowercase conversion, and 500.Li NAN 501when using the uppercase conversion. 502.It Cm fF 503The 504.Vt double 505argument is rounded and converted to decimal notation in the style 506.Sm off 507.Oo \- Oc Ar ddd Li \&. Ar ddd , 508.Sm on 509where the number of digits after the decimal-point character 510is equal to the precision specification. 511If the precision is missing, it is taken as 6; if the precision is 512explicitly zero, no decimal-point character appears. 513If a decimal point appears, at least one digit appears before it. 514.It Cm gG 515The 516.Vt double 517argument is converted in style 518.Cm f 519or 520.Cm e 521(or 522.Cm F 523or 524.Cm E 525for 526.Cm G 527conversions). 528The precision specifies the number of significant digits. 529If the precision is missing, 6 digits are given; if the precision is zero, 530it is treated as 1. 531Style 532.Cm e 533is used if the exponent from its conversion is less than \-4 or greater than 534or equal to the precision. 535Trailing zeros are removed from the fractional part of the result; a 536decimal point appears only if it is followed by at least one digit. 537.It Cm aA 538The 539.Vt double 540argument is rounded and converted to hexadecimal notation in the style 541.Sm off 542.Oo \- Oc Li 0x Ar h Li \&. Ar hhhp Oo \(+- Oc Ar d , 543.Sm on 544where the number of digits after the hexadecimal-point character 545is equal to the precision specification. 546If the precision is missing, it is taken as enough to represent 547the floating-point number exactly, and no rounding occurs. 548If the precision is zero, no hexadecimal-point character appears. 549The 550.Cm p 551is a literal character 552.Ql p , 553and the exponent consists of a positive or negative sign 554followed by a decimal number representing an exponent of 2. 555The 556.Cm A 557conversion uses the prefix 558.Dq Li 0X 559(rather than 560.Dq Li 0x ) , 561the letters 562.Dq Li ABCDEF 563(rather than 564.Dq Li abcdef ) 565to represent the hex digits, and the letter 566.Ql P 567(rather than 568.Ql p ) 569to separate the mantissa and exponent. 570.Pp 571Note that there may be multiple valid ways to represent floating-point 572numbers in this hexadecimal format. 573For example, 574.Li 0x1.92p+1 , 0x3.24p+0 , 0x6.48p-1 , 575and 576.Li 0xc.9p-2 577are all equivalent. 578.Fx 8.0 579and later always prints finite non-zero numbers using 580.Ql 1 581as the digit before the hexadecimal point. 582Zeroes are always represented with a mantissa of 0 (preceded by a 583.Ql - 584if appropriate) and an exponent of 585.Li +0 . 586.It Cm C 587Treated as 588.Cm c 589with the 590.Cm l 591(ell) modifier. 592.It Cm c 593The 594.Vt int 595argument is converted to an 596.Vt "unsigned char" , 597and the resulting character is written. 598.Pp 599If the 600.Cm l 601(ell) modifier is used, the 602.Vt wint_t 603argument shall be converted to a 604.Vt wchar_t , 605and the (potentially multi-byte) sequence representing the 606single wide character is written, including any shift sequences. 607If a shift sequence is used, the shift state is also restored 608to the original state after the character. 609.It Cm S 610Treated as 611.Cm s 612with the 613.Cm l 614(ell) modifier. 615.It Cm s 616The 617.Vt "char *" 618argument is expected to be a pointer to an array of character type (pointer 619to a string). 620Characters from the array are written up to (but not including) 621a terminating 622.Dv NUL 623character; 624if a precision is specified, no more than the number specified are 625written. 626If a precision is given, no null character 627need be present; if the precision is not specified, or is greater than 628the size of the array, the array must contain a terminating 629.Dv NUL 630character. 631.Pp 632If the 633.Cm l 634(ell) modifier is used, the 635.Vt "wchar_t *" 636argument is expected to be a pointer to an array of wide characters 637(pointer to a wide string). 638For each wide character in the string, the (potentially multi-byte) 639sequence representing the 640wide character is written, including any shift sequences. 641If any shift sequence is used, the shift state is also restored 642to the original state after the string. 643Wide characters from the array are written up to (but not including) 644a terminating wide 645.Dv NUL 646character; 647if a precision is specified, no more than the number of bytes specified are 648written (including shift sequences). 649Partial characters are never written. 650If a precision is given, no null character 651need be present; if the precision is not specified, or is greater than 652the number of bytes required to render the multibyte representation of 653the string, the array must contain a terminating wide 654.Dv NUL 655character. 656.It Cm p 657The 658.Vt "void *" 659pointer argument is printed in hexadecimal (as if by 660.Ql %#x 661or 662.Ql %#lx ) . 663.It Cm n 664The number of characters written so far is stored into the 665integer indicated by the 666.Vt "int *" 667(or variant) pointer argument. 668No argument is converted. 669.It Cm m 670Print the string representation of the error code stored in the 671.Dv errno 672variable at the beginning of the call, as returned by 673.Xr strerror 3 . 674No argument is taken. 675.It Cm % 676A 677.Ql % 678is written. 679No argument is converted. 680The complete conversion specification 681is 682.Ql %% . 683.El 684.Pp 685The decimal point 686character is defined in the program's locale (category 687.Dv LC_NUMERIC ) . 688.Pp 689In no case does a non-existent or small field width cause truncation of 690a numeric field; if the result of a conversion is wider than the field 691width, the 692field is expanded to contain the conversion result. 693.Sh RETURN VALUES 694These functions return the number of characters printed 695(not including the trailing 696.Ql \e0 697used to end output to strings), 698except for 699.Fn snprintf 700and 701.Fn vsnprintf , 702which return the number of characters that would have been printed if the 703.Fa size 704were unlimited 705(again, not including the final 706.Ql \e0 ) . 707These functions return a negative value if an error occurs. 708.Sh EXAMPLES 709To print a date and time in the form 710.Dq Li "Sunday, July 3, 10:02" , 711where 712.Fa weekday 713and 714.Fa month 715are pointers to strings: 716.Bd -literal -offset indent 717#include <stdio.h> 718fprintf(stdout, "%s, %s %d, %.2d:%.2d\en", 719 weekday, month, day, hour, min); 720.Ed 721.Pp 722To print \*(Pi 723to five decimal places: 724.Bd -literal -offset indent 725#include <math.h> 726#include <stdio.h> 727fprintf(stdout, "pi = %.5f\en", 4 * atan(1.0)); 728.Ed 729.Pp 730To allocate a 128 byte string and print into it: 731.Bd -literal -offset indent 732#include <stdio.h> 733#include <stdlib.h> 734#include <stdarg.h> 735char *newfmt(const char *fmt, ...) 736{ 737 char *p; 738 va_list ap; 739 if ((p = malloc(128)) == NULL) 740 return (NULL); 741 va_start(ap, fmt); 742 (void) vsnprintf(p, 128, fmt, ap); 743 va_end(ap); 744 return (p); 745} 746.Ed 747.Sh COMPATIBILITY 748The conversion formats 749.Cm \&%D , \&%O , 750and 751.Cm \&%U 752are not standard and 753are provided only for backward compatibility. 754The conversion format 755.Cm \&%m 756is also not standard and provides the popular extension from the 757.Tn GNU C 758library. 759.Pp 760The effect of padding the 761.Cm %p 762format with zeros (either by the 763.Cm 0 764flag or by specifying a precision), and the benign effect (i.e., none) 765of the 766.Cm # 767flag on 768.Cm %n 769and 770.Cm %p 771conversions, as well as other 772nonsensical combinations such as 773.Cm %Ld , 774are not standard; such combinations 775should be avoided. 776.Sh ERRORS 777In addition to the errors documented for the 778.Xr write 2 779system call, the 780.Fn printf 781family of functions may fail if: 782.Bl -tag -width Er 783.It Bq Er EILSEQ 784An invalid wide character code was encountered. 785.It Bq Er ENOMEM 786Insufficient storage space is available. 787.It Bq Er EOVERFLOW 788The 789.Fa size 790argument exceeds 791.Dv INT_MAX + 1 , 792or the return value would be too large to be represented by an 793.Vt int . 794.El 795.Sh SEE ALSO 796.Xr printf 1 , 797.Xr errno 2 , 798.Xr fmtcheck 3 , 799.Xr scanf 3 , 800.Xr setlocale 3 , 801.Xr strerror 3 , 802.Xr wprintf 3 803.Sh STANDARDS 804Subject to the caveats noted in the 805.Sx BUGS 806section below, the 807.Fn fprintf , 808.Fn printf , 809.Fn sprintf , 810.Fn vprintf , 811.Fn vfprintf , 812and 813.Fn vsprintf 814functions 815conform to 816.St -ansiC 817and 818.St -isoC-99 . 819With the same reservation, the 820.Fn snprintf 821and 822.Fn vsnprintf 823functions conform to 824.St -isoC-99 , 825while 826.Fn dprintf 827and 828.Fn vdprintf 829conform to 830.St -p1003.1-2008 . 831The functions 832.Fn asprintf 833and 834.Fn vasprintf 835conform to 836.St -p1003.1-2024 . 837.Sh HISTORY 838The functions 839.Fn asprintf 840and 841.Fn vasprintf 842first appeared in the 843.Tn GNU C 844library. 845These were implemented by 846.An Peter Wemm Aq Mt peter@FreeBSD.org 847in 848.Fx 2.2 , 849but were later replaced with a different implementation 850from 851.Ox 2.3 852by 853.An Todd C. Miller Aq Mt Todd.Miller@courtesan.com . 854The 855.Fn dprintf 856and 857.Fn vdprintf 858functions were added in 859.Fx 8.0 . 860The 861.Cm \&%m 862format extension first appeared in the 863.Tn GNU C 864library, and was implemented in 865.Fx 12.0 . 866.Sh BUGS 867The 868.Nm 869family of functions do not correctly handle multibyte characters in the 870.Fa format 871argument. 872.Sh SECURITY CONSIDERATIONS 873The 874.Fn sprintf 875and 876.Fn vsprintf 877functions are easily misused in a manner which enables malicious users 878to arbitrarily change a running program's functionality through 879a buffer overflow attack. 880Because 881.Fn sprintf 882and 883.Fn vsprintf 884assume an infinitely long string, 885callers must be careful not to overflow the actual space; 886this is often hard to assure. 887For safety, programmers should use the 888.Fn snprintf 889interface instead. 890For example: 891.Bd -literal 892void 893foo(const char *arbitrary_string, const char *and_another) 894{ 895 char onstack[8]; 896 897#ifdef BAD 898 /* 899 * This first sprintf is bad behavior. Do not use sprintf! 900 */ 901 sprintf(onstack, "%s, %s", arbitrary_string, and_another); 902#else 903 /* 904 * The following two lines demonstrate better use of 905 * snprintf(). 906 */ 907 snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string, 908 and_another); 909#endif 910} 911.Ed 912.Pp 913The 914.Fn printf 915and 916.Fn sprintf 917family of functions are also easily misused in a manner 918allowing malicious users to arbitrarily change a running program's 919functionality by either causing the program 920to print potentially sensitive data 921.Dq "left on the stack" , 922or causing it to generate a memory fault or bus error 923by dereferencing an invalid pointer. 924.Pp 925.Cm %n 926can be used to write arbitrary data to potentially carefully-selected 927addresses. 928Programmers are therefore strongly advised to never pass untrusted strings 929as the 930.Fa format 931argument, as an attacker can put format specifiers in the string 932to mangle your stack, 933leading to a possible security hole. 934This holds true even if the string was built using a function like 935.Fn snprintf , 936as the resulting string may still contain user-supplied conversion specifiers 937for later interpolation by 938.Fn printf . 939.Pp 940Always use the proper secure idiom: 941.Pp 942.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);" 943