Grzegorz Jaskiewicz wrote:
> On 2009-01-18, at 09:56, Peter Eisentraut wrote:
>> -Wformat-security warns about
>>
>> printf(var);
>>
>> but not about
>>
>> printf(var, a);
>>
>> I don't understand that; the crash or exploit potential is pretty much
>> the
>> same in both cases.
> not at all. First case allows you to pass in var from outside, with
> your, well crafted format strings. Please read more about subject,
> before you say something that silly.
The point is that if "var" comes from an untrusted source, both forms
are just as dangerous.
I guess that in practice, the first form is more likely to be an oversight.
-- Heikki Linnakangas EnterpriseDB http://www.enterprisedb.com