Many functions use the interpreter of formatted input and output. The list of such functions is not limited to the printf function, and they are not found only in console applications. Graphical applications and server-side parts of client/server applications running under Windows NT actively use the sprintf function that outputs formatted strings into the buffer.
Functions listed in Table 6.1 are not dangerous by themselves . The issue that makes them dangerous is the presence of the user input in the format argument. When searching for vulnerabilities in a program, hackers usually look for such code sections.
Function | Description | |
---|---|---|
fprintf | ASCII | Formatted output into a file |
fwprintf | UNICODE | |
fscanf | ASCII | Formatted input from the named input stream |
fwscanf | UNICODE | |
printf | ASCII | Formatted output into stdout |
wprintf | UNICODE | |
scanf | ASCII | Formatted input from stdin |
wscanf | UNICODE | |
_snprintf | ASCII | Formatted output into the buffer with a length limitation |
_snwprintf | UNICODE | |
sprintf | ASCII | Formatted output into a buffer |
swprintf | UNICODE | |
sscanf | ASCII | Formatted input from a buffer |
swscanf | UNICODE | |
vfprintf | ASCII | Formatted output into the named stream |
vfwprintf | UNICODE | |
vprintf | ASCII | Formatted output into stdout |
vwprintf | UNICODE | |
_vsnprintf | ASCII | Formatted output into a buffer with a length limitation |
_vsnwprintf | UNICODE | |
vsprintf | ASCII | Formatted output into a buffer |
vswprintf | UNICODE |