int
printf(
const char * restrict format
, ...
)
int
fprintf(
FILE * restrict stream
, const char * restrict format
, ...
)
int
sprintf(
char * restrict str
, const char * restrict format
, ...
)
int
snprintf(
char * restrict str
, size_t size
, const char * restrict format
, ...
)
int
asprintf(
char ** restrict ret
, const char * restrict format
, ...
)
int
vprintf(
const char * restrict format
, va_list ap
)
int
vfprintf(
FILE * restrict stream
, const char * restrict format
, va_list ap
)
int
vsprintf(
char * restrict str
, const char * restrict format
, va_list ap
)
int
vsnprintf(
char * restrict str
, size_t size
, const char * restrict format
, va_list ap
)
int
vasprintf(
char ** restrict ret
, const char * restrict format
, va_list ap
)
)
family of functions produces output according to a
format
as described below.
The
printf(
)
and
vprintf(
)
functions
write output to
stdout,
the standard output stream;
fprintf(
)
and
vfprintf(
)
write output to the given output
stream
;
sprintf(
),
snprintf(
),
vsprintf(
),
and
vsnprintf(
)
write to the character string
str
;
and
asprintf(
)
and
vasprintf(
)
write to a dynamically allocated string that is stored in
ret
.
These functions write the output under the control of a
format
string that specifies how subsequent arguments
(or arguments accessed via the variable-length argument facilities of
stdarg(3))
are converted for output.
These functions return the number of characters printed (not including the trailing `\0' used to end output to strings). If an output error was encountered, these functions shall return a negative value.
asprintf()
and
vasprintf(
)
return a pointer to a buffer sufficiently large to hold the
string in the
ret
argument.
This pointer should be passed to
free(3)
to release the allocated storage when it is no longer needed.
If sufficient space cannot be allocated, these functions
will return -1 and set
ret
to be a
NULL
pointer.
Please note that these functions are not standardized, and not all
implementations can be assumed to set the
ret
argument to
NULL
on error.
It is more portable to check for a return value of -1 instead.
snprintf()
and
vsnprintf(
)
will write at most
size
-1
of the characters printed into the output string
(the
size
'th
character then gets the terminating
`\0');
if the return value is greater than or equal to the
size
argument, the string was too short
and some of the printed characters were discarded.
If
size
is zero, nothing is written and
str
may be a
NULL
pointer.
sprintf()
and
vsprintf(
)
effectively assume an infinite
size
.
The format string is composed of zero or more directives: ordinary characters (not %), which are copied unchanged to the output stream; and conversion specifications, each of which results in fetching zero or more subsequent arguments. Each conversion specification is introduced by the character %. The arguments must correspond properly (after type promotion) with the conversion specifier. After the %, the following appear in sequence:
Modifier | d, i | o, u, x, X | n |
hh | Vt signed char | Vt unsigned char | Vt signed char * |
h | Vt short | Vt unsigned short | Vt short * |
l (ell) | Vt long | Vt unsigned long | Vt long * |
ll (ell ell) | Vt | long long Vt unsigned long long | Vtlong long * |
j | Vt intmax_t | Vt uintmax_t | Vt intmax_t * |
t | Vt ptrdiff_t | (see note) | Vt ptrdiff_t * |
z | (see note) | Vt size_t | (see note) |
q (deprecated) Vt quad_t | Vt u_quad_t | Vt quad_t *
| |
Note: the t modifier, when applied to a o, u, x, or X conversion, indicates that the argument is of an unsigned type equivalent in size to a The z modifier, when applied to a d or i conversion, indicates that the argument is of a signed type equivalent in size to a Similarly, when applied to an n conversion, it indicates that the argument is a pointer to a signed type equivalent in size to a
The following length modifier is valid for the a, A, e, E, f, F, g, or G conversion:
Modifier | a, A, e, E, f, F, g, G |
l (ell) | Vt double (ignored, same behavior as without it) |
L | Vt long double |
The following length modifier is valid for the c or s conversion:
Modifier | c | s |
l (ell) | Vt wint_t | Vt wchar_t * |
A field width or precision, or both, may be indicated by
an asterisk
`*'
or an asterisk followed by one or more decimal digits and a
`$'
instead of a
digit string.
In this case, an
argument supplies the field width or precision.
A negative field width is treated as a left adjustment flag followed by a
positive field width; a negative precision is treated as though it were
missing.
If a single format directive mixes positional
(nn$
)
and non-positional arguments, the results are undefined.
The conversion specifiers and their meanings are:
abcdef
''
are used for
x
conversions; the letters
``
ABCDEF
''
are used for
X
conversions.
The precision, if any, gives the minimum number of digits that must
appear; if the converted value requires fewer digits, it is padded on
the left with zeros.
.
ddd
e
dd]
where there is one digit before the
decimal-point character
and the number of digits after it is equal to the precision;
if the precision is missing,
it is taken as 6; if the precision is
zero, no decimal-point character appears.
An
E
conversion uses the letter
`E'
(rather than
`e')
to introduce the exponent.
The exponent always contains at least two digits; if the value is zero,
the exponent is 00.
For
a,
A,
e,
E,
f,
F,
g,
and
G
conversions, positive and negative infinity are represented as
inf
and
-inf
respectively when using the lowercase conversion character, and
INF
and
-INF
respectively when using the uppercase conversion character.
Similarly, NaN is represented as
nan
when using the lowercase conversion, and
NAN
when using the uppercase conversion.
.
ddd,]
where the number of digits after the decimal-point character
is equal to the precision specification.
If the precision is missing, it is taken as 6; if the precision is
explicitly zero, no decimal-point character appears.
If a decimal point appears, at least one digit appears before it.
0x
h
.
hhhp [.blm Pp d,]]
where the number of digits after the hexadecimal-point character
is equal to the precision specification.
If the precision is missing, it is taken as enough to represent
the floating-point number exactly, and no rounding occurs.
If the precision is zero, no hexadecimal-point character appears.
The
p
is a literal character
`p',
and the exponent consists of a positive or negative sign
followed by a decimal number representing an exponent of 2.
The
A
conversion uses the prefix
``
0X
''
(rather than
``
0x
''),
the letters
``
ABCDEF
''
(rather than
``
abcdef
'')
to represent the hex digits, and the letter
`P'
(rather than
`p')
to separate the mantissa and exponent.
Note that there may be multiple valid ways to represent floating-point
numbers in this hexadecimal format.
For example,
0x3.24p+0
, 0x6.48p-1
and
0xc.9p-2
are all equivalent.
The format chosen depends on the internal representation of the
number, but the implementation guarantees that the length of the
mantissa will be minimized.
Zeroes are always represented with a mantissa of 0 (preceded by a
`-'
if appropriate) and an exponent of
+0
.
If the l (ell) modifier is used, the argument shall be converted to a and the (potentially multi-byte) sequence representing the single wide character is written, including any shift sequences. If a shift sequence is used, the shift state is also restored to the original state after the character.
NUL
character;
if a precision is specified, no more than the number specified are
written.
If a precision is given, no null character
need be present; if the precision is not specified, or is greater than
the size of the array, the array must contain a terminating
NUL
character.
If the
l
(ell) modifier is used, the
argument is expected to be a pointer to an array of wide characters
(pointer to a wide string).
For each wide character in the string, the (potentially multi-byte)
sequence representing the
wide character is written, including any shift sequences.
If any shift sequence is used, the shift state is also restored
to the original state after the string.
Wide characters from the array are written up to (but not including)
a terminating wide
NUL
character;
if a precision is specified, no more than the number of bytes specified are
written (including shift sequences).
Partial characters are never written.
If a precision is given, no null character
need be present; if the precision is not specified, or is greater than
the number of bytes required to render the multibyte representation of
the string, the array must contain a terminating wide
NUL
character.
The decimal point
character is defined in the program's locale (category
LC_NUMERIC
).
In no case does a non-existent or small field width cause truncation of a numeric field; if the result of a conversion is wider than the field width, the field is expanded to contain the conversion result.
Sunday, July 3, 10:02
'',
where
weekday
and
month
are pointers to strings:
#include <stdio.h>
fprintf(stdout, "%s, %s %d, %.2d:%.2d\n",
weekday, month, day, hour, min);
To print to five decimal places:
#include <math.h>
#include <stdio.h>
fprintf(stdout, "pi = %.5f\n", 4 * atan(1.0));
To allocate a 128 byte string and print into it:
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
char *newfmt(const char *fmt, ...)
{
char *p;
va_list ap;
if ((p = malloc(128)) == NULL)
return (NULL);
va_start(ap, fmt);
(void) vsnprintf(p, 128, fmt, ap);
va_end(ap);
return (p);
}
)
and
vsprintf(
)
functions are easily misused in a manner which enables malicious users
to arbitrarily change a running program's functionality through
a buffer overflow attack.
Because
sprintf(
)
and
vsprintf(
)
assume an infinitely long string,
callers must be careful not to overflow the actual space;
this is often hard to assure.
For safety, programmers should use the
snprintf(
)
interface instead.
For example:
void
foo(const char *arbitrary_string, const char *and_another)
{
char onstack[8];
#ifdef BAD
/*
* This first sprintf is bad behavior. Do not use sprintf!
*/
sprintf(onstack, "%s, %s", arbitrary_string, and_another);
#else
/*
* The following two lines demonstrate better use of
* snprintf().
*/
snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string,
and_another);
#endif
}
The
printf()
and
sprintf(
)
family of functions are also easily misused in a manner
allowing malicious users to arbitrarily change a running program's
functionality by either causing the program
to print potentially sensitive data
``left on the stack'',
or causing it to generate a memory fault or bus error
by dereferencing an invalid pointer.
%n
can be used to write arbitrary data to potentially carefully-selected
addresses.
Programmers are therefore strongly advised to never pass untrusted strings
as the
format
argument, as an attacker can put format specifiers in the string
to mangle your stack,
leading to a possible security hole.
This holds true even if the string was built using a function like
snprintf(),
as the resulting string may still contain user-supplied conversion specifiers
for later interpolation by
printf(
).
Always use the proper secure idiom:
snprintf(buffer, sizeof(buffer), "%s", string);
)
family of functions may fail if:
EILSEQ
]
ENOMEM
]
),
printf(
),
sprintf(
),
vprintf(
),
vfprintf(
),
and
vsprintf(
)
functions
conform to
ANSI X3.159-1989 (``ANSI C89'')
and
ISO/IEC 9899:1999 (``ISO C99'') .
With the same reservation, the
snprintf(
)
and
vsnprintf(
)
functions conform to
ISO/IEC 9899:1999 (``ISO C99'') .
)
and
vsnprintf(
)
first appeared in
4.4BSD.
The functions
asprintf(
)
and
vasprintf(
)
are modeled on the ones that first appeared in the GNU C library.
)
and
vsprintf(
)
assume an infinitely long string, callers must be careful not to
overflow the actual space; this is often impossible to assure.
For safety, programmers should use the
snprintf(
)
and
asprintf(
)
family of interfaces instead.
Unfortunately, the
snprintf(
)
interfaces are not available on older
systems and the
asprintf(
)
interfaces are not yet portable.
It is important never to pass a string with user-supplied data as a
format without using
`%s'.
An attacker can put format specifiers in the string to mangle your stack,
leading to a possible security hole.
This holds true even if you have built the string
``by hand''
using a function like
snprintf(),
as the resulting string may still contain user-supplied conversion specifiers
for later interpolation by
printf(
).
Be sure to use the proper secure idiom:
snprintf(buffer, sizeof(buffer), "%s", string);
There is no way for printf to know the size of each argument passed. If you use positional arguments you must ensure that all parameters, up to the last positionally specified parameter, are used in the format string. This allows for the format string to be parsed for this information. Failure to do this will mean your code is non-portable and liable to fail.
In this implementation, passing a
NULL
argument to the
%s
format specifier will output
(null)
instead of crashing.
Programs that depend on this behavior are non-portable and may crash
on other systems or in the future.
The
printf
family of functions do not correctly handle multibyte characters in the
format
argument.