[argyllcms] Re: Patch: fix missing header, format security warnings

On Wed, Jun 10, 2009 at 8:55 AM, Kai-Uwe Behrmann<ku.b@xxxxxx> wrote:
> Am 09.06.09, 19:32 +0200 schrieb Frederic Crozat:
>
>> the following patch fixes some warnings caused by missing headers and
>> usage of -Werror=format-security (as used by default in latest
>> Mandriva release), as well as missing parameters in a DBG call.
>
> According to Posix zero arguments to the fprintf format string are fine:
> http://www.opengroup.org/onlinepubs/009695399/functions/fprintf.html
>
> What is the rationale behind a (?):
> -                    fprintf(stderr, "put me on stderr");
> +                    fprintf(stderr, "%s", "put me on stderr");

You are using an incorrect example :

-Werror=format-security is to detect potential security issues when
the format string is not a string literall but
obtain from a non const variable. This might lead to security hole if
this string has not been checked properly.

For your particular example, there is nothing to fix, gcc will not
output any warning.

When no format string is needed (and \n is added), puts/fputs is often better.

More info on this :
http://wiki.mandriva.com/en/Development/Tasks/Packaging/Problems#format_not_a_string_literal_and_no_format_arguments
and http://en.wikipedia.org/wiki/Format_string_attack

-- 
Frederic Crozat

Other related posts: