On Sunday 18 January 2009 12:43:46 Grzegorz Jaskiewicz wrote:
> > -Wformat-security warns about
> >
> > printf(var);
> >
> > but not about
> >
> > printf(var, a);
> >
> > I don't understand that; the crash or exploit potential is pretty
> > much the
> > same in both cases.
>
> not at all. First case allows you to pass in var from outside, with
> your, well crafted format strings. Please read more about subject,
> before you say something that silly.
If your premise is that var is passed in from the outside, then the real issue
is the %n placeholder. And then it doesn't matter how many variadic args you
pass.