> Quick answer, more later: > > Theo de Raadt wrote on Thu, Nov 16, 2017 at 09:52:39AM -0700: > > Todd Miller wrote: > > >> Also, POSIX isn't explicit as to whether that restriction applies > >> to the format string or just the arguments to %lc and %ls conversions. > >> > >> What it does say is: > >> > >> The format is composed of zero or more directives: ordinary > >> characters, which are simply copied to the output stream, and > >> conversion specifications, each of which shall result in the > >> fetching of zero or more arguments. > > > Well that says the format string is a string, not a wide string. > > There are three kinds of strings, not two. You are confusing wide > strings and multibyte strings. It is certainly not a wide string. > It is a multibyte string, that is what the use of the word "character" > indicates. If it were a byte string, it would talk about bytes > instead, see for example how POSIX describes %s: > > The argument shall be a pointer to an array of char. Bytes from > the array shall be written up to (but not including) any terminating > null byte.
Doesn't make sense to me. It says which are simply copied to the output stream What part of "simply copied" involves calling a function which makes a decision and decides to error instead? Have you found a single example which needs to do the check? Surely if this is important, there will be at least one in ports. So I'm positive they should be copied out byte-for-byte. Without a check. Simply can mean without additional labour. I also feel adding -1 handling would only serve one purpose: Increasing fragility. Let us recall that the source tree used to contain no checks for sprintf/snprintf returning -1. Only checks for < size. Solaris was the first system to do this -1 stuff, and it took 15 years to complete the work of adding the clumsy checks to our tree. 15 years of nearly wasted work, I suspect. > > I think EILSEQ and -1 are intended to apply entirely to failed > > conversions, > > That is not true. For example, the function mblen(3) is specified > to return EILSEQ, and it does so. So EILSEQ is also used for > validation even without conversion, even elsewhere. The suggestion is that it should not be called. If it is not called, then it is irrelevant. > > and these checks were mistakenly added to printf a while > > ago. > > The *printf() functions set EILSEQ in these cases since revision 1.1 > in 1995. Yes, I already proposed that someone made a mistake a while ago.
