RFR: 8373474: 2 Unintentional format string defect groups in jabswitch.cpp [v2]

Alexander Zvegintsev azvegint at openjdk.org
Mon Dec 22 22:53:52 UTC 2025 

On Mon, 22 Dec 2025 21:50:35 GMT, Damon Nguyen <dnguyen at openjdk.org> wrote:

>> src/jdk.accessibility/windows/native/jabswitch/jabswitch.cpp line 231:
>> 
>>> 229:                 fprintf(origFile,
>>> 230:                     "assistive_technologies=com.sun.java.accessibility.AccessBridge\n"
>>> 231:                     "screen_magnifier_present=true\n");
>> 
>> I don't think it is what Alexander meant.
>> I am not sure doing the above  would even resolve the complaint because there's still no format string.
>> 
>> I think he meant it should look like
>> fprintf(origfile, "%s",
>> "assistive_technologies=com.sun.java.accessibility.AccessBridge\n"screen_magnifier_present=true\n");
>> or
>> fprintf(origfile, "%s",
>> "assistive_technologies=com.sun.java.accessibility.AccessBridge\n" "screen_magnifier_present=true\n");
>> if you really want to use the automatic concatenation, but I had to check to be sure it would work so ..
>
> I see your point. I'll leave it as separated again just in case the string literal is updated with anything that can be misinterpreted as a specifier.

> I don't think it is what Alexander meant.

Damon understood me correctly. That's what I meant.
https://github.com/openjdk/jdk/pull/28949#discussion_r2640052922

> I am not sure doing the above would even resolve the complaint because there's still no format string.

It should.

before:
```c++
fprintf(origFile, str); // using `str` variable as format string > parfait complains

after:

```c++
  fprintf(origFile,
      "assistive_technologies=com.sun.java.accessibility.AccessBridge\n"
      "screen_magnifier_present=true\n"); 

Here, we provide a format string(without the format specifiers), not the variable.
It's essentially identical to the code on line 301, `printf("Unable to get version info.\n");`, parfait didn't complain about that line.

> if you really want to use the automatic concatenation, but I had to check to be sure it would work so ..

It is in the standard, so I don't see any reason not to use it:
https://en.cppreference.com/w/cpp/language/string_literal.html#Concatenation

So, in my opinion, the variable str is unnecessary here.

---
>  just in case the string literal is updated with anything that can be misinterpreted as a specifier.

I suppose it should be detected during the review process for such a change. Currently, there are no format specifiers being used.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/28949#discussion_r2641462741

More information about the client-libs-dev mailing list