Posts Tagged ‘printf’

Dangerous printf

Friday, September 17th, 2010

It took quite some time until I found this bug. Here’s a simplified version of what caused it:

char dir[2048];
GetCurrentDirectory(2048, dir);
printf(CString("Current dir is:")+dir));

That’s doesn’t look bad, does it? And (like in the great programmer quotes), it works on my computer. But it doesn’t work if the customer’s current folder is something like “%&┬žsomething”, because it contains %s.

So don’t throw any external data at the first parameter of printf, sprintf, etc; instead put it into the following parameters.

printf(“Current dir is: %s”, dir);