Enabling "-Werror=format-security" by default

Dan Winship danw at redhat.com
Wed Nov 20 21:07:43 UTC 2013

On 11/20/2013 11:13 AM, Jerry James wrote:
> And the very first package I maintain that appears on that list, abe,
> is an interesting one.  The game has an internal function,
> path_sprintf(), which is static in Game.c.  All callers of that
> function are visible in the same file, and all pass constant strings
> into the function, which passes those constant strings to sprintf().
> The function's purpose is to produce a pathname for a file of interest
> to the caller in the game's installed location.  It's too bad that
> gcc's analysis cannot span function calls inside a compilation unit.
> There really is nothing wrong with this code.

If you change its prototype to:

static void path_sprintf (char *path, char *format, ...) 
__attribute__((__format__(__printf, 2, 3)));

(and update it to use varargs and vsprintf() instead of sprintf())

then the warnings will go away, because gcc will now know that it's a 
function that behaves like printf(), with argument 2 being the format 
string and argument 3 being the "...", and so then it can do the 
-Wformat-security checking at each of the path_sprintf() callpoints. 
(And you also get warnings when the arguments don't match the format 
string, like you would if you were calling sprintf() directly.) (And now 
you can use formats other than a single "%d" in the future if you want...)

-- Dan

More information about the devel mailing list