Some time ago GCC started producing warnings like this:
warning: format not a string literal and no format arguments
What does this mean? GCC is saying that a function in printf style has a format string that it cannot check matches the format arguments. Here is some common code GLib code that causes this error:
GError *error = ...;
g_error(error->message);
Why is this a problem? As
error->message
cannot be checked it may contain a printf flag sequence, e.g. "Invalid data: 'g^y#%s'"
(i.e. %s
) that would cause run-time to try and access a non-existent argument. It could be worse and the format string could be user-input that is attempting to exploit your program.So the solution is to always use a string literal for formatting like this:
g_error("%s", error->message);
No comments:
Post a Comment