xref: /freebsd/lib/libc/stdio/printf.3 (revision dfa0ac74c2fbc1cde3e8cdb1ab9fe5cbb90a9b16)
1.\" Copyright (c) 1990, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" This code is derived from software contributed to Berkeley by
5.\" Chris Torek and the American National Standards Committee X3,
6.\" on Information Processing Systems.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\"    notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\"    notice, this list of conditions and the following disclaimer in the
15.\"    documentation and/or other materials provided with the distribution.
16.\" 3. Neither the name of the University nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.Dd September 5, 2023
33.Dt PRINTF 3
34.Os
35.Sh NAME
36.Nm printf ,
37.Nm fprintf ,
38.Nm sprintf ,
39.Nm snprintf ,
40.Nm asprintf ,
41.Nm dprintf ,
42.Nm vprintf ,
43.Nm vfprintf ,
44.Nm vsprintf ,
45.Nm vsnprintf ,
46.Nm vasprintf ,
47.Nm vdprintf
48.Nd formatted output conversion
49.Sh LIBRARY
50.Lb libc
51.Sh SYNOPSIS
52.In stdio.h
53.Ft int
54.Fn printf "const char * restrict format" ...
55.Ft int
56.Fn fprintf "FILE * restrict stream" "const char * restrict format" ...
57.Ft int
58.Fn sprintf "char * restrict str" "const char * restrict format" ...
59.Ft int
60.Fn snprintf "char * restrict str" "size_t size" "const char * restrict format" ...
61.Ft int
62.Fn asprintf "char **ret" "const char *format" ...
63.Ft int
64.Fn dprintf "int fd" "const char * restrict format" ...
65.In stdarg.h
66.Ft int
67.Fn vprintf "const char * restrict format" "va_list ap"
68.Ft int
69.Fn vfprintf "FILE * restrict stream" "const char * restrict format" "va_list ap"
70.Ft int
71.Fn vsprintf "char * restrict str" "const char * restrict format" "va_list ap"
72.Ft int
73.Fn vsnprintf "char * restrict str" "size_t size" "const char * restrict format" "va_list ap"
74.Ft int
75.Fn vasprintf "char **ret" "const char *format" "va_list ap"
76.Ft int
77.Fn vdprintf "int fd" "const char * restrict format" "va_list ap"
78.Sh DESCRIPTION
79The
80.Fn printf
81family of functions produces output according to a
82.Fa format
83as described below.
84The
85.Fn printf
86and
87.Fn vprintf
88functions
89write output to
90.Dv stdout ,
91the standard output stream;
92.Fn fprintf
93and
94.Fn vfprintf
95write output to the given output
96.Fa stream ;
97.Fn dprintf
98and
99.Fn vdprintf
100write output to the given file descriptor;
101.Fn sprintf ,
102.Fn snprintf ,
103.Fn vsprintf ,
104and
105.Fn vsnprintf
106write to the character string
107.Fa str ;
108and
109.Fn asprintf
110and
111.Fn vasprintf
112dynamically allocate a new string with
113.Xr malloc 3 .
114.Pp
115These functions write the output under the control of a
116.Fa format
117string that specifies how subsequent arguments
118(or arguments accessed via the variable-length argument facilities of
119.Xr stdarg 3 )
120are converted for output.
121.Pp
122The
123.Fn asprintf
124and
125.Fn vasprintf
126functions
127set
128.Fa *ret
129to be a pointer to a buffer sufficiently large to hold the formatted string.
130This pointer should be passed to
131.Xr free 3
132to release the allocated storage when it is no longer needed.
133If sufficient space cannot be allocated,
134.Fn asprintf
135and
136.Fn vasprintf
137will return \-1 and set
138.Fa ret
139to be a
140.Dv NULL
141pointer.
142.Pp
143The
144.Fn snprintf
145and
146.Fn vsnprintf
147functions
148will write at most
149.Fa size Ns \-1
150of the characters printed into the output string
151(the
152.Fa size Ns 'th
153character then gets the terminating
154.Ql \e0 ) ;
155if the return value is greater than or equal to the
156.Fa size
157argument, the string was too short
158and some of the printed characters were discarded.
159The output is always null-terminated, unless
160.Fa size
161is 0.
162.Pp
163The
164.Fn sprintf
165and
166.Fn vsprintf
167functions
168effectively assume a
169.Fa size
170of
171.Dv INT_MAX + 1.
172.Pp
173The format string is composed of zero or more directives:
174ordinary
175.\" multibyte
176characters (not
177.Cm % ) ,
178which are copied unchanged to the output stream;
179and conversion specifications, each of which results
180in fetching zero or more subsequent arguments.
181Each conversion specification is introduced by
182the
183.Cm %
184character.
185The arguments must correspond properly (after type promotion)
186with the conversion specifier.
187After the
188.Cm % ,
189the following appear in sequence:
190.Bl -bullet
191.It
192An optional field, consisting of a decimal digit string followed by a
193.Cm $ ,
194specifying the next argument to access.
195If this field is not provided, the argument following the last
196argument accessed will be used.
197Arguments are numbered starting at
198.Cm 1 .
199If unaccessed arguments in the format string are interspersed with ones that
200are accessed the results will be indeterminate.
201.It
202Zero or more of the following flags:
203.Bl -tag -width ".So \  Sc (space)"
204.It Sq Cm #
205The value should be converted to an
206.Dq alternate form .
207For
208.Cm c , d , i , n , p , s ,
209and
210.Cm u
211conversions, this option has no effect.
212For
213.Cm b
214and
215.Cm B
216conversions, a non-zero result has the string
217.Ql 0b
218(or
219.Ql 0B
220for
221.Cm B
222conversions) prepended to it.
223For
224.Cm o
225conversions, the precision of the number is increased to force the first
226character of the output string to a zero.
227For
228.Cm x
229and
230.Cm X
231conversions, a non-zero result has the string
232.Ql 0x
233(or
234.Ql 0X
235for
236.Cm X
237conversions) prepended to it.
238For
239.Cm a , A , e , E , f , F , g ,
240and
241.Cm G
242conversions, the result will always contain a decimal point, even if no
243digits follow it (normally, a decimal point appears in the results of
244those conversions only if a digit follows).
245For
246.Cm g
247and
248.Cm G
249conversions, trailing zeros are not removed from the result as they
250would otherwise be.
251.It So Cm 0 Sc (zero)
252Zero padding.
253For all conversions except
254.Cm n ,
255the converted value is padded on the left with zeros rather than blanks.
256If a precision is given with a numeric conversion
257.Cm ( b , B , d , i , o , u , i , x ,
258and
259.Cm X ) ,
260the
261.Cm 0
262flag is ignored.
263.It Sq Cm \-
264A negative field width flag;
265the converted value is to be left adjusted on the field boundary.
266Except for
267.Cm n
268conversions, the converted value is padded on the right with blanks,
269rather than on the left with blanks or zeros.
270A
271.Cm \-
272overrides a
273.Cm 0
274if both are given.
275.It So "\ " Sc (space)
276A blank should be left before a positive number
277produced by a signed conversion
278.Cm ( a , A , d , e , E , f , F , g , G ,
279or
280.Cm i ) .
281.It Sq Cm +
282A sign must always be placed before a
283number produced by a signed conversion.
284A
285.Cm +
286overrides a space if both are used.
287.It So "'" Sc (apostrophe)
288Decimal conversions
289.Cm ( d , u ,
290or
291.Cm i )
292or the integral portion of a floating point conversion
293.Cm ( f
294or
295.Cm F )
296should be grouped and separated by thousands using
297the non-monetary separator returned by
298.Xr localeconv 3 .
299.El
300.It
301An optional decimal digit string specifying a minimum field width.
302If the converted value has fewer characters than the field width, it will
303be padded with spaces on the left (or right, if the left-adjustment
304flag has been given) to fill out
305the field width.
306.It
307An optional precision, in the form of a period
308.Cm \&.
309followed by an
310optional digit string.
311If the digit string is omitted, the precision is taken as zero.
312This gives the minimum number of digits to appear for
313.Cm b , B , d , i , o , u , x ,
314and
315.Cm X
316conversions, the number of digits to appear after the decimal-point for
317.Cm a , A , e , E , f ,
318and
319.Cm F
320conversions, the maximum number of significant digits for
321.Cm g
322and
323.Cm G
324conversions, or the maximum number of characters to be printed from a
325string for
326.Cm s
327conversions.
328.It
329An optional length modifier, that specifies the size of the argument.
330The following length modifiers are valid for the
331.Cm b , B , d , i , n , o , u , x ,
332or
333.Cm X
334conversion:
335.Bl -column ".Cm q Em (deprecated)" ".Vt signed char" ".Vt unsigned long long" ".Vt long long *"
336.It Sy Modifier Ta Cm d , i Ta Cm b , B , o , u , x , X Ta Cm n
337.It Cm hh Ta Vt "signed char" Ta Vt "unsigned char" Ta Vt "signed char *"
338.It Cm h Ta Vt short Ta Vt "unsigned short" Ta Vt "short *"
339.It Cm l No (ell) Ta Vt long Ta Vt "unsigned long" Ta Vt "long *"
340.It Cm ll No (ell ell) Ta Vt "long long" Ta Vt "unsigned long long" Ta Vt "long long *"
341.It Cm j Ta Vt intmax_t Ta Vt uintmax_t Ta Vt "intmax_t *"
342.It Cm t Ta Vt ptrdiff_t Ta (see note) Ta Vt "ptrdiff_t *"
343.It Cm w Ns Ar N Ta Vt intN_t Ta Vt uintN_t Ta Vt "intN_t *"
344.It Cm wf Ns Ar N Ta Vt int_fastN_t Ta Vt uint_fastN_t Ta Vt "int_fastN_t *"
345.It Cm z Ta (see note) Ta Vt size_t Ta (see note)
346.It Cm q Em (deprecated) Ta Vt quad_t Ta Vt u_quad_t Ta Vt "quad_t *"
347.El
348.Pp
349Note:
350the
351.Cm t
352modifier, when applied to a
353.Cm b , B , o , u , x ,
354or
355.Cm X
356conversion, indicates that the argument is of an unsigned type
357equivalent in size to a
358.Vt ptrdiff_t .
359The
360.Cm z
361modifier, when applied to a
362.Cm d
363or
364.Cm i
365conversion, indicates that the argument is of a signed type equivalent in
366size to a
367.Vt size_t .
368Similarly, when applied to an
369.Cm n
370conversion, it indicates that the argument is a pointer to a signed type
371equivalent in size to a
372.Vt size_t .
373.Pp
374The following length modifier is valid for the
375.Cm a , A , e , E , f , F , g ,
376or
377.Cm G
378conversion:
379.Bl -column ".Sy Modifier" ".Cm a , A , e , E , f , F , g , G"
380.It Sy Modifier Ta Cm a , A , e , E , f , F , g , G
381.It Cm l No (ell) Ta Vt double
382(ignored, same behavior as without it)
383.It Cm L Ta Vt "long double"
384.El
385.Pp
386The following length modifier is valid for the
387.Cm c
388or
389.Cm s
390conversion:
391.Bl -column ".Sy Modifier" ".Vt wint_t" ".Vt wchar_t *"
392.It Sy Modifier Ta Cm c Ta Cm s
393.It Cm l No (ell) Ta Vt wint_t Ta Vt "wchar_t *"
394.El
395.It
396A character that specifies the type of conversion to be applied.
397.El
398.Pp
399A field width or precision, or both, may be indicated by
400an asterisk
401.Ql *
402or an asterisk followed by one or more decimal digits and a
403.Ql $
404instead of a
405digit string.
406In this case, an
407.Vt int
408argument supplies the field width or precision.
409A negative field width is treated as a left adjustment flag followed by a
410positive field width; a negative precision is treated as though it were
411missing.
412If a single format directive mixes positional
413.Pq Li nn$
414and non-positional arguments, the results are undefined.
415.Pp
416The conversion specifiers and their meanings are:
417.Bl -tag -width ".Cm bBdiouxX"
418.It Cm bBdiouxX
419The
420.Vt int
421(or appropriate variant) argument is converted to
422unsigned binary
423.Cm ( b
424and
425.Cm B ) ,
426signed decimal
427.Cm ( d
428and
429.Cm i ) ,
430unsigned octal
431.Pq Cm o ,
432unsigned decimal
433.Pq Cm u ,
434or unsigned hexadecimal
435.Cm ( x
436and
437.Cm X )
438notation.
439The letters
440.Dq Li abcdef
441are used for
442.Cm x
443conversions; the letters
444.Dq Li ABCDEF
445are used for
446.Cm X
447conversions.
448The precision, if any, gives the minimum number of digits that must
449appear; if the converted value requires fewer digits, it is padded on
450the left with zeros.
451.It Cm DOU
452The
453.Vt "long int"
454argument is converted to signed decimal, unsigned octal, or unsigned
455decimal, as if the format had been
456.Cm ld , lo ,
457or
458.Cm lu
459respectively.
460These conversion characters are deprecated, and will eventually disappear.
461.It Cm eE
462The
463.Vt double
464argument is rounded and converted in the style
465.Sm off
466.Oo \- Oc Ar d Li \&. Ar ddd Li e \(+- Ar dd
467.Sm on
468where there is one digit before the
469decimal-point character
470and the number of digits after it is equal to the precision;
471if the precision is missing,
472it is taken as 6; if the precision is
473zero, no decimal-point character appears.
474An
475.Cm E
476conversion uses the letter
477.Ql E
478(rather than
479.Ql e )
480to introduce the exponent.
481The exponent always contains at least two digits; if the value is zero,
482the exponent is 00.
483.Pp
484For
485.Cm a , A , e , E , f , F , g ,
486and
487.Cm G
488conversions, positive and negative infinity are represented as
489.Li inf
490and
491.Li -inf
492respectively when using the lowercase conversion character, and
493.Li INF
494and
495.Li -INF
496respectively when using the uppercase conversion character.
497Similarly, NaN is represented as
498.Li nan
499when using the lowercase conversion, and
500.Li NAN
501when using the uppercase conversion.
502.It Cm fF
503The
504.Vt double
505argument is rounded and converted to decimal notation in the style
506.Sm off
507.Oo \- Oc Ar ddd Li \&. Ar ddd ,
508.Sm on
509where the number of digits after the decimal-point character
510is equal to the precision specification.
511If the precision is missing, it is taken as 6; if the precision is
512explicitly zero, no decimal-point character appears.
513If a decimal point appears, at least one digit appears before it.
514.It Cm gG
515The
516.Vt double
517argument is converted in style
518.Cm f
519or
520.Cm e
521(or
522.Cm F
523or
524.Cm E
525for
526.Cm G
527conversions).
528The precision specifies the number of significant digits.
529If the precision is missing, 6 digits are given; if the precision is zero,
530it is treated as 1.
531Style
532.Cm e
533is used if the exponent from its conversion is less than \-4 or greater than
534or equal to the precision.
535Trailing zeros are removed from the fractional part of the result; a
536decimal point appears only if it is followed by at least one digit.
537.It Cm aA
538The
539.Vt double
540argument is rounded and converted to hexadecimal notation in the style
541.Sm off
542.Oo \- Oc Li 0x Ar h Li \&. Ar hhhp Oo \(+- Oc Ar d ,
543.Sm on
544where the number of digits after the hexadecimal-point character
545is equal to the precision specification.
546If the precision is missing, it is taken as enough to represent
547the floating-point number exactly, and no rounding occurs.
548If the precision is zero, no hexadecimal-point character appears.
549The
550.Cm p
551is a literal character
552.Ql p ,
553and the exponent consists of a positive or negative sign
554followed by a decimal number representing an exponent of 2.
555The
556.Cm A
557conversion uses the prefix
558.Dq Li 0X
559(rather than
560.Dq Li 0x ) ,
561the letters
562.Dq Li ABCDEF
563(rather than
564.Dq Li abcdef )
565to represent the hex digits, and the letter
566.Ql P
567(rather than
568.Ql p )
569to separate the mantissa and exponent.
570.Pp
571Note that there may be multiple valid ways to represent floating-point
572numbers in this hexadecimal format.
573For example,
574.Li 0x1.92p+1 , 0x3.24p+0 , 0x6.48p-1 ,
575and
576.Li 0xc.9p-2
577are all equivalent.
578.Fx 8.0
579and later always prints finite non-zero numbers using
580.Ql 1
581as the digit before the hexadecimal point.
582Zeroes are always represented with a mantissa of 0 (preceded by a
583.Ql -
584if appropriate) and an exponent of
585.Li +0 .
586.It Cm C
587Treated as
588.Cm c
589with the
590.Cm l
591(ell) modifier.
592.It Cm c
593The
594.Vt int
595argument is converted to an
596.Vt "unsigned char" ,
597and the resulting character is written.
598.Pp
599If the
600.Cm l
601(ell) modifier is used, the
602.Vt wint_t
603argument shall be converted to a
604.Vt wchar_t ,
605and the (potentially multi-byte) sequence representing the
606single wide character is written, including any shift sequences.
607If a shift sequence is used, the shift state is also restored
608to the original state after the character.
609.It Cm S
610Treated as
611.Cm s
612with the
613.Cm l
614(ell) modifier.
615.It Cm s
616The
617.Vt "char *"
618argument is expected to be a pointer to an array of character type (pointer
619to a string).
620Characters from the array are written up to (but not including)
621a terminating
622.Dv NUL
623character;
624if a precision is specified, no more than the number specified are
625written.
626If a precision is given, no null character
627need be present; if the precision is not specified, or is greater than
628the size of the array, the array must contain a terminating
629.Dv NUL
630character.
631.Pp
632If the
633.Cm l
634(ell) modifier is used, the
635.Vt "wchar_t *"
636argument is expected to be a pointer to an array of wide characters
637(pointer to a wide string).
638For each wide character in the string, the (potentially multi-byte)
639sequence representing the
640wide character is written, including any shift sequences.
641If any shift sequence is used, the shift state is also restored
642to the original state after the string.
643Wide characters from the array are written up to (but not including)
644a terminating wide
645.Dv NUL
646character;
647if a precision is specified, no more than the number of bytes specified are
648written (including shift sequences).
649Partial characters are never written.
650If a precision is given, no null character
651need be present; if the precision is not specified, or is greater than
652the number of bytes required to render the multibyte representation of
653the string, the array must contain a terminating wide
654.Dv NUL
655character.
656.It Cm p
657The
658.Vt "void *"
659pointer argument is printed in hexadecimal (as if by
660.Ql %#x
661or
662.Ql %#lx ) .
663.It Cm n
664The number of characters written so far is stored into the
665integer indicated by the
666.Vt "int *"
667(or variant) pointer argument.
668No argument is converted.
669.It Cm m
670Print the string representation of the error code stored in the
671.Dv errno
672variable at the beginning of the call, as returned by
673.Xr strerror 3 .
674No argument is taken.
675.It Cm %
676A
677.Ql %
678is written.
679No argument is converted.
680The complete conversion specification
681is
682.Ql %% .
683.El
684.Pp
685The decimal point
686character is defined in the program's locale (category
687.Dv LC_NUMERIC ) .
688.Pp
689In no case does a non-existent or small field width cause truncation of
690a numeric field; if the result of a conversion is wider than the field
691width, the
692field is expanded to contain the conversion result.
693.Sh RETURN VALUES
694These functions return the number of characters printed
695(not including the trailing
696.Ql \e0
697used to end output to strings),
698except for
699.Fn snprintf
700and
701.Fn vsnprintf ,
702which return the number of characters that would have been printed if the
703.Fa size
704were unlimited
705(again, not including the final
706.Ql \e0 ) .
707These functions return a negative value if an error occurs.
708.Sh EXAMPLES
709To print a date and time in the form
710.Dq Li "Sunday, July 3, 10:02" ,
711where
712.Fa weekday
713and
714.Fa month
715are pointers to strings:
716.Bd -literal -offset indent
717#include <stdio.h>
718fprintf(stdout, "%s, %s %d, %.2d:%.2d\en",
719	weekday, month, day, hour, min);
720.Ed
721.Pp
722To print \*(Pi
723to five decimal places:
724.Bd -literal -offset indent
725#include <math.h>
726#include <stdio.h>
727fprintf(stdout, "pi = %.5f\en", 4 * atan(1.0));
728.Ed
729.Pp
730To allocate a 128 byte string and print into it:
731.Bd -literal -offset indent
732#include <stdio.h>
733#include <stdlib.h>
734#include <stdarg.h>
735char *newfmt(const char *fmt, ...)
736{
737	char *p;
738	va_list ap;
739	if ((p = malloc(128)) == NULL)
740		return (NULL);
741	va_start(ap, fmt);
742	(void) vsnprintf(p, 128, fmt, ap);
743	va_end(ap);
744	return (p);
745}
746.Ed
747.Sh COMPATIBILITY
748The conversion formats
749.Cm \&%D , \&%O ,
750and
751.Cm \&%U
752are not standard and
753are provided only for backward compatibility.
754The conversion format
755.Cm \&%m
756is also not standard and provides the popular extension from the
757.Tn GNU C
758library.
759.Pp
760The effect of padding the
761.Cm %p
762format with zeros (either by the
763.Cm 0
764flag or by specifying a precision), and the benign effect (i.e., none)
765of the
766.Cm #
767flag on
768.Cm %n
769and
770.Cm %p
771conversions, as well as other
772nonsensical combinations such as
773.Cm %Ld ,
774are not standard; such combinations
775should be avoided.
776.Sh ERRORS
777In addition to the errors documented for the
778.Xr write 2
779system call, the
780.Fn printf
781family of functions may fail if:
782.Bl -tag -width Er
783.It Bq Er EILSEQ
784An invalid wide character code was encountered.
785.It Bq Er ENOMEM
786Insufficient storage space is available.
787.It Bq Er EOVERFLOW
788The
789.Fa size
790argument exceeds
791.Dv INT_MAX + 1 ,
792or the return value would be too large to be represented by an
793.Vt int .
794.El
795.Sh SEE ALSO
796.Xr printf 1 ,
797.Xr errno 2 ,
798.Xr fmtcheck 3 ,
799.Xr scanf 3 ,
800.Xr setlocale 3 ,
801.Xr strerror 3 ,
802.Xr wprintf 3
803.Sh STANDARDS
804Subject to the caveats noted in the
805.Sx BUGS
806section below, the
807.Fn fprintf ,
808.Fn printf ,
809.Fn sprintf ,
810.Fn vprintf ,
811.Fn vfprintf ,
812and
813.Fn vsprintf
814functions
815conform to
816.St -ansiC
817and
818.St -isoC-99 .
819With the same reservation, the
820.Fn snprintf
821and
822.Fn vsnprintf
823functions conform to
824.St -isoC-99 ,
825while
826.Fn dprintf
827and
828.Fn vdprintf
829conform to
830.St -p1003.1-2008 .
831The functions
832.Fn asprintf
833and
834.Fn vasprintf
835conform to
836.St -p1003.1-2024 .
837.Sh HISTORY
838The functions
839.Fn asprintf
840and
841.Fn vasprintf
842first appeared in the
843.Tn GNU C
844library.
845These were implemented by
846.An Peter Wemm Aq Mt peter@FreeBSD.org
847in
848.Fx 2.2 ,
849but were later replaced with a different implementation
850from
851.Ox 2.3
852by
853.An Todd C. Miller Aq Mt Todd.Miller@courtesan.com .
854The
855.Fn dprintf
856and
857.Fn vdprintf
858functions were added in
859.Fx 8.0 .
860The
861.Cm \&%m
862format extension first appeared in the
863.Tn GNU C
864library, and was implemented in
865.Fx 12.0 .
866.Sh BUGS
867The
868.Nm
869family of functions do not correctly handle multibyte characters in the
870.Fa format
871argument.
872.Sh SECURITY CONSIDERATIONS
873The
874.Fn sprintf
875and
876.Fn vsprintf
877functions are easily misused in a manner which enables malicious users
878to arbitrarily change a running program's functionality through
879a buffer overflow attack.
880Because
881.Fn sprintf
882and
883.Fn vsprintf
884assume an infinitely long string,
885callers must be careful not to overflow the actual space;
886this is often hard to assure.
887For safety, programmers should use the
888.Fn snprintf
889interface instead.
890For example:
891.Bd -literal
892void
893foo(const char *arbitrary_string, const char *and_another)
894{
895	char onstack[8];
896
897#ifdef BAD
898	/*
899	 * This first sprintf is bad behavior.  Do not use sprintf!
900	 */
901	sprintf(onstack, "%s, %s", arbitrary_string, and_another);
902#else
903	/*
904	 * The following two lines demonstrate better use of
905	 * snprintf().
906	 */
907	snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string,
908	    and_another);
909#endif
910}
911.Ed
912.Pp
913The
914.Fn printf
915and
916.Fn sprintf
917family of functions are also easily misused in a manner
918allowing malicious users to arbitrarily change a running program's
919functionality by either causing the program
920to print potentially sensitive data
921.Dq "left on the stack" ,
922or causing it to generate a memory fault or bus error
923by dereferencing an invalid pointer.
924.Pp
925.Cm %n
926can be used to write arbitrary data to potentially carefully-selected
927addresses.
928Programmers are therefore strongly advised to never pass untrusted strings
929as the
930.Fa format
931argument, as an attacker can put format specifiers in the string
932to mangle your stack,
933leading to a possible security hole.
934This holds true even if the string was built using a function like
935.Fn snprintf ,
936as the resulting string may still contain user-supplied conversion specifiers
937for later interpolation by
938.Fn printf .
939.Pp
940Always use the proper secure idiom:
941.Pp
942.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);"
943