[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] fix not a string literal warning in test_xasprintf

From: Bruno Haible
Subject: Re: [PATCH v2] fix not a string literal warning in test_xasprintf
Date: Thu, 05 Apr 2012 12:32:56 +0200
User-agent: KMail/4.7.4 (Linux/3.1.0-1.2-desktop; KDE/4.7.4; x86_64; ; )

Gilles Espinasse wrote:
> Remove the code hack preventing format-zero-length warning and replace by a
> pragma GCC diagnostic ignored in top of code.

This patch is not good, because the warning "zero-length format string"
exists at least since GCC 3.1, however
'#pragma GCC diagnostic ignored "-Wformat-zero-length"' works only in
GCC >= 4.2.

The current code, or the simpler test case
#include <stdio.h>
int main ()
  const char *empty = "";
  printf (empty);
  return 0;

compiles without warnings with "gcc -Wall" with all versions up to 4.7.0.

> With gcc-4.4.5 patched with defaults-format-security.patch, coreutils emit
> test-xvasprintf.c: In function 'test_xasprintf':
> test-xvasprintf.c:98: warning: format not a string literal and no format 
> arguments

I think this warning is not well thought out. From a security point of
view, passing a string that is not a string literal is the dangerous point
to warn about. Whereas a warning for 0 arguments but no warning for 1 or more
arguments is just a heuristic to catch mistakes done by beginners.

So, the warning "format not a string literal and no format arguments" or,
more generally "format with no format arguments", is a *style* warning,
not a *security* warning.

For the security warning, you should use "format not a string literal"
and do a data flow analysis so as to avoid warnings in

   printf (signed ? "%d" : "%u", arg);


   const char *f;
   if (signed) f = "%d"; else f = "%u";
   printf (f, atrg);


   printf (gettext ("bar %d"), arg);


reply via email to

[Prev in Thread] Current Thread [Next in Thread]