Enabling "-Werror=format-security" by default
danw at redhat.com
Wed Nov 20 21:07:43 UTC 2013
On 11/20/2013 11:13 AM, Jerry James wrote:
> And the very first package I maintain that appears on that list, abe,
> is an interesting one. The game has an internal function,
> path_sprintf(), which is static in Game.c. All callers of that
> function are visible in the same file, and all pass constant strings
> into the function, which passes those constant strings to sprintf().
> The function's purpose is to produce a pathname for a file of interest
> to the caller in the game's installed location. It's too bad that
> gcc's analysis cannot span function calls inside a compilation unit.
> There really is nothing wrong with this code.
If you change its prototype to:
static void path_sprintf (char *path, char *format, ...)
__attribute__((__format__(__printf, 2, 3)));
(and update it to use varargs and vsprintf() instead of sprintf())
then the warnings will go away, because gcc will now know that it's a
function that behaves like printf(), with argument 2 being the format
string and argument 3 being the "...", and so then it can do the
-Wformat-security checking at each of the path_sprintf() callpoints.
(And you also get warnings when the arguments don't match the format
string, like you would if you were calling sprintf() directly.) (And now
you can use formats other than a single "%d" in the future if you want...)
More information about the devel