RFR: 8373475: Unintentional format string in logString of AccessInfo.cpp [v2]
Alexey Ivanov
aivanov at openjdk.org
Tue Dec 23 17:28:56 UTC 2025
On Mon, 22 Dec 2025 20:34:53 GMT, Damon Nguyen <dnguyen at openjdk.org> wrote:
>> This update is to fix the potential issue where tmpbuf can be read as a format argument for `fprintf`. I have added a specifier here to avoid this issue since the string from tmpbuf is not guaranteed to not cause issues. This update should make this print more reliable and safe to use.
>
> Damon Nguyen has updated the pull request incrementally with one additional commit since the last revision:
>
> Combine fprintf
Changes requested by aivanov (Reviewer).
src/jdk.accessibility/windows/native/toolscommon/AccessInfo.cpp line 1:
> 1: /*
Bump the copyright year.
src/jdk.accessibility/windows/native/toolscommon/AccessInfo.cpp line 100:
> 98: vsnprintf(tmpbuf, sizeof(tmpbuf), msg, argprt);
> 99:
> 100: fprintf(logfile, "%s\n", tmpbuf);
Why can't we use [`fputs`](https://en.cppreference.com/w/c/io/fputs.html) and avoid all the format string logic and ambiguity altogether?
Alternatively, *use `vfprintf` directly* instead of first formatting the arguments into a temporary buffer with `vsnprintf` and then sending the result to the output.
-------------
PR Review: https://git.openjdk.org/jdk/pull/28950#pullrequestreview-3608795656
PR Review Comment: https://git.openjdk.org/jdk/pull/28950#discussion_r2643847378
PR Review Comment: https://git.openjdk.org/jdk/pull/28950#discussion_r2643839745
More information about the client-libs-dev
mailing list