FTBFS if "-Werror=format-security" flag is used
Florian Weimer
fweimer at redhat.com
Thu Dec 5 13:15:52 UTC 2013
On 12/05/2013 11:00 AM, Ralf Corsepius wrote:
> On 12/05/2013 10:26 AM, Björn Persson wrote:
>> Brendan Jones wrote:
>>> Patching is not a problem. Unnecessary is the question. Explain to me
>>> (not you in particular Rahul) how these printf's can possibly be
>>> exploited?
>
> I believe to be able to prove GCC is producing bogus warnings:
>
> Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1037293
> (This is a trimmed down example of a real world case).
The offending line is this:
fprintf(fp, endfmt);
endfmt is not a string literal, so the warning is correct in the sense
that it provides the intended diagnostic. GCC could perhaps do better
in some cases, but not without relying on the optimizers.
--
Florian Weimer / Red Hat Product Security Team
More information about the devel
mailing list