[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2] fix not a string literal warning in test_xasprintf
From: |
Bruno Haible |
Subject: |
Re: [PATCH v2] fix not a string literal warning in test_xasprintf |
Date: |
Thu, 05 Apr 2012 12:32:56 +0200 |
User-agent: |
KMail/4.7.4 (Linux/3.1.0-1.2-desktop; KDE/4.7.4; x86_64; ; ) |
Gilles Espinasse wrote:
> Remove the code hack preventing format-zero-length warning and replace by a
> pragma GCC diagnostic ignored in top of code.
This patch is not good, because the warning "zero-length format string"
exists at least since GCC 3.1, however
'#pragma GCC diagnostic ignored "-Wformat-zero-length"' works only in
GCC >= 4.2.
The current code, or the simpler test case
==========================
#include <stdio.h>
int main ()
{
const char *empty = "";
printf (empty);
return 0;
}
==========================
compiles without warnings with "gcc -Wall" with all versions up to 4.7.0.
> With gcc-4.4.5 patched with defaults-format-security.patch, coreutils emit
> test-xvasprintf.c: In function 'test_xasprintf':
> test-xvasprintf.c:98: warning: format not a string literal and no format
> arguments
I think this warning is not well thought out. From a security point of
view, passing a string that is not a string literal is the dangerous point
to warn about. Whereas a warning for 0 arguments but no warning for 1 or more
arguments is just a heuristic to catch mistakes done by beginners.
So, the warning "format not a string literal and no format arguments" or,
more generally "format with no format arguments", is a *style* warning,
not a *security* warning.
For the security warning, you should use "format not a string literal"
and do a data flow analysis so as to avoid warnings in
printf (signed ? "%d" : "%u", arg);
or
const char *f;
if (signed) f = "%d"; else f = "%u";
printf (f, atrg);
or
printf (gettext ("bar %d"), arg);
Bruno