This is the mail archive of the
mailing list for the GCC project.
Re: use of %n in genmodes.c causes trouble on Vista
- From: Ian Lance Taylor <iant at google dot com>
- To: Olivier Hainque <hainque at adacore dot com>
- Cc: gcc at gcc dot gnu dot org
- Date: 06 Jun 2007 07:29:26 -0700
- Subject: Re: use of %n in genmodes.c causes trouble on Vista
- References: <20070606074818.GA18078@cardhu.act-europe.fr>
Olivier Hainque <email@example.com> writes:
> genmodes.c uses the %n capabilities of printf to compute the width of
> pieces it outputs. This causes troubles on Windows Vista, because ...
> << Because of security reasons, support for the %n format specifier is
> disabled by default in printf and all its variants. ... the default
> behavior is to invoke the invalid parameter handler ...
> It seems to me that we could replace the uses of %n by uses of printf
> return values. I'm not clear whether this would be considered portable
> enough, however.
What is the security issue here? I'm not seeing it. Are they
concerned that attackers will modify the print control string somehow?
We've decided that gcc will require an ISO C90 compiler to build. And
the behaviour of %n is clearly specified in ISO C90. Actually, it's
not quite as clearcut as that, since we haven't necessarily committed
to an ISO C90 C library. At least, we still have supporting functions
in libiberty which are not required if we can assume an ISO C90 C
This deficiency is presumably only going to arise for a mingw hosted
gcc. Would it be possible for the mingw startup file to call
_set_printf_count_output? Perhaps under the control of a command line
option at link time?
Or, if we think that other systems are likely to also start disabling
%n by default, then it would make sense for us to change the code. It
would be easy to replace it with strlen calls, or, as you suggest, by
checking the return value of printf. The return value of printf is
portable (unlike the return value of sprintf).