Content deleted Content added
HeyElliott (talk | contribs) m Fixed citation |
No edit summary |
||
Line 1:
{{Short description|Type of software vulnerability}}
{{Use dmy dates|date=August 2019|cs1-dates=y}}
'''Uncontrolled format string''' is a type of [[code injection]] [[software vulnerability|vulnerability]] discovered around 1989 that can be used in [[security exploit]]s.<ref name="CWE134"/> Originally thought harmless, format string exploits can be used to [[Crash (computing)|crash]] a program or to execute harmful code. The problem stems from the use of [[unchecked user input]] as the [[format string]] parameter in certain [[C (programming language)|C]] functions that perform formatting, such as <code>[[Printf|printf()]]</code>. A malicious user may use the <code>%s</code> and <code>%x</code> format tokens, among others, to print data from the [[call stack]] or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the <code>%n</code> format token, which commands <code>printf()</code> and similar functions to write the number of bytes formatted to an address stored on the stack.
==Details==
| |||