Posted Feb 2, 2012 22:11 UTC (Thu) by iabervon
In reply to: In 2011?
Parent article: Format string vulnerabilities
Nobody does write
printf(variable). Unfortunately, they do write
vprintf(fmt, args), where
fmt is the concatenation of some strings and an appropriate format string. The goals were: call a single stdio function in order to avoid interleaving your message with other output (potentially from a subprocess); print a bit of identifying information at the beginning; and print a caller-supplied format string with its appropriate arguments. There's not really a good way to do all of these together, since you can't insert things in a va_list.
to post comments)