[PATCH] Check the format of more printf-type functions

[PATCH] Check the format of more printf-type functions

[Tarmigan Casebolt]

We already have these checks in many printf-type functions that have
prototypes which are in header files.  Add these same checks to some
more prototypes in header functions and to static functions in .c
files.

cc: Miklos Vajna <vmiklos@frugalware.org>
Signed-off-by: Tarmigan Casebolt <tarmigan+git@gmail.com>
---

Junio, please consider this for next.  It will hopefully catch some bugs like
the Content-Length one in http-backend.c.

One extra warning is
    CC merge-recursive.o
merge-recursive.c: In function ‘write_tree_from_memory’:
merge-recursive.c:218: warning: field precision should have type ‘int’, but argument 5 has type ‘size_t’

A fix that might work in practice (because pathnames won't be longer than 
an int?) is:
--- a/merge-recursive.c
+++ b/merge-recursive.c
@@ -215,7 +215,9 @@ struct tree *write_tree_from_memory(struct merge_options *o)
                for (i = 0; i < active_nr; i++) {
                        struct cache_entry *ce = active_cache[i];
                        if (ce_stage(ce))
-                               output(o, 0, "%d %.*s", ce_stage(ce), ce_namelen(ce), ce->name);
+                               output(o, 0, "%d %.*s", ce_stage(ce), (int)ce_namelen(ce), ce->name);
+                       if (ce_namelen(ce) > INT_MAX)
+                               die("A filename was too long");
                }
                return NULL;
        }

but I don't think that is likely to be an acceptable fix, so I'm leaving
it for others to make a proper fix.  Looks like Miklos touched that line
last, so perhaps he knows of a better fix.

 builtin-fsck.c           |    2 ++
 builtin-update-index.c   |    1 +
 builtin-upload-archive.c |    1 +
 cache.h                  |    2 ++
 color.h                  |    2 ++
 daemon.c                 |    2 ++
 fsck.h                   |    1 +
 imap-send.c              |    6 ++++++
 merge-recursive.c        |    1 +
 strbuf.h                 |    2 +-
 10 files changed, 19 insertions(+), 1 deletions(-)

diff --git a/builtin-fsck.c b/builtin-fsck.c
index 2d88e45..0e5faae 100644
--- a/builtin-fsck.c
+++ b/builtin-fsck.c
@@ -47,6 +47,7 @@ static void objreport(struct object *obj, const char *severity,
 	fputs("\n", stderr);
 }
 
+__attribute__((format (printf, 2, 3)))
 static int objerror(struct object *obj, const char *err, ...)
 {
 	va_list params;
@@ -57,6 +58,7 @@ static int objerror(struct object *obj, const char *err, ...)
 	return -1;
 }
 
+__attribute__((format (printf, 3, 4)))
 static int fsck_error_func(struct object *obj, int type, const char *err, ...)
 {
 	va_list params;
diff --git a/builtin-update-index.c b/builtin-update-index.c
index 92beaaf..a6b7f2d 100644
--- a/builtin-update-index.c
+++ b/builtin-update-index.c
@@ -27,6 +27,7 @@ static int mark_valid_only;
 #define MARK_VALID 1
 #define UNMARK_VALID 2
 
+__attribute__((format (printf, 1, 2)))
 static void report(const char *fmt, ...)
 {
 	va_list vp;
diff --git a/builtin-upload-archive.c b/builtin-upload-archive.c
index c4cd1e1..b2d1259 100644
--- a/builtin-upload-archive.c
+++ b/builtin-upload-archive.c
@@ -67,6 +67,7 @@ static int run_upload_archive(int argc, const char **argv, const char *prefix)
 	return write_archive(sent_argc, sent_argv, prefix, 0);
 }
 
+__attribute__((format (printf, 1, 2)))
 static void error_clnt(const char *fmt, ...)
 {
 	char buf[1024];
diff --git a/cache.h b/cache.h
index 7cec30e..9fdf122 100644
--- a/cache.h
+++ b/cache.h
@@ -964,7 +964,9 @@ extern void *alloc_object_node(void);
 extern void alloc_report(void);
 
 /* trace.c */
+__attribute__((format (printf, 1, 2)))
 extern void trace_printf(const char *format, ...);
+__attribute__((format (printf, 2, 3)))
 extern void trace_argv_printf(const char **argv, const char *format, ...);
 
 /* convert.c */
diff --git a/color.h b/color.h
index 18abeb7..7d8da6f 100644
--- a/color.h
+++ b/color.h
@@ -29,7 +29,9 @@ int git_color_default_config(const char *var, const char *value, void *cb);
 int git_config_colorbool(const char *var, const char *value, int stdout_is_tty);
 void color_parse(const char *value, const char *var, char *dst);
 void color_parse_mem(const char *value, int len, const char *var, char *dst);
+__attribute__((format (printf, 3, 4)))
 int color_fprintf(FILE *fp, const char *color, const char *fmt, ...);
+__attribute__((format (printf, 3, 4)))
 int color_fprintf_ln(FILE *fp, const char *color, const char *fmt, ...);
 int color_fwrite_lines(FILE *fp, const char *color, size_t count, const char *buf);
 
diff --git a/daemon.c b/daemon.c
index 1b5ada6..641ebe1 100644
--- a/daemon.c
+++ b/daemon.c
@@ -77,6 +77,7 @@ static void logreport(int priority, const char *err, va_list params)
 	}
 }
 
+__attribute__((format (printf, 1, 2)))
 static void logerror(const char *err, ...)
 {
 	va_list params;
@@ -85,6 +86,7 @@ static void logerror(const char *err, ...)
 	va_end(params);
 }
 
+__attribute__((format (printf, 1, 2)))
 static void loginfo(const char *err, ...)
 {
 	va_list params;
diff --git a/fsck.h b/fsck.h
index 008456b..1e4f527 100644
--- a/fsck.h
+++ b/fsck.h
@@ -17,6 +17,7 @@ typedef int (*fsck_walk_func)(struct object *obj, int type, void *data);
 /* callback for fsck_object, type is FSCK_ERROR or FSCK_WARN */
 typedef int (*fsck_error)(struct object *obj, int type, const char *err, ...);
 
+__attribute__((format (printf, 3, 4)))
 int fsck_error_function(struct object *obj, int type, const char *fmt, ...);
 
 /* descend in all linked child objects
diff --git a/imap-send.c b/imap-send.c
index 6c9938a..854b6a4 100644
--- a/imap-send.c
+++ b/imap-send.c
@@ -102,13 +102,16 @@ struct msg_data {
 
 static int Verbose, Quiet;
 
+__attribute__((format (printf, 1, 2)))
 static void imap_info(const char *, ...);
+__attribute__((format (printf, 1, 2)))
 static void imap_warn(const char *, ...);
 
 static char *next_arg(char **);
 
 static void free_generic_messages(struct message *);
 
+__attribute__((format (printf, 3, 4)))
 static int nfsnprintf(char *buf, int blen, const char *fmt, ...);
 
 static int nfvasprintf(char **strp, const char *fmt, va_list ap)
@@ -560,6 +563,7 @@ static struct imap_cmd *v_issue_imap_cmd(struct imap_store *ctx,
 	return cmd;
 }
 
+__attribute__((format (printf, 3, 4)))
 static struct imap_cmd *issue_imap_cmd(struct imap_store *ctx,
 				       struct imap_cmd_cb *cb,
 				       const char *fmt, ...)
@@ -573,6 +577,7 @@ static struct imap_cmd *issue_imap_cmd(struct imap_store *ctx,
 	return ret;
 }
 
+__attribute__((format (printf, 3, 4)))
 static int imap_exec(struct imap_store *ctx, struct imap_cmd_cb *cb,
 		     const char *fmt, ...)
 {
@@ -588,6 +593,7 @@ static int imap_exec(struct imap_store *ctx, struct imap_cmd_cb *cb,
 	return get_cmd_result(ctx, cmdp);
 }
 
+__attribute__((format (printf, 3, 4)))
 static int imap_exec_m(struct imap_store *ctx, struct imap_cmd_cb *cb,
 		       const char *fmt, ...)
 {
diff --git a/merge-recursive.c b/merge-recursive.c
index f55b7eb..d198312 100644
--- a/merge-recursive.c
+++ b/merge-recursive.c
@@ -86,6 +86,7 @@ static void flush_output(struct merge_options *o)
 	}
 }
 
+__attribute__((format (printf, 3, 4)))
 static void output(struct merge_options *o, int v, const char *fmt, ...)
 {
 	int len;
diff --git a/strbuf.h b/strbuf.h
index d05e056..fa07ecf 100644
--- a/strbuf.h
+++ b/strbuf.h
@@ -117,7 +117,7 @@ struct strbuf_expand_dict_entry {
 };
 extern size_t strbuf_expand_dict_cb(struct strbuf *sb, const char *placeholder, void *context);
 
-__attribute__((format(printf,2,3)))
+__attribute__((format (printf,2,3)))
 extern void strbuf_addf(struct strbuf *sb, const char *fmt, ...);
 
 extern size_t strbuf_fread(struct strbuf *, size_t, FILE *);
-- 
1.6.5.52.g4544ce0

Re: [PATCH] Check the format of more printf-type functions

[Miklos Vajna]

[-- Attachment #1: Type: text/plain, Size: 396 bytes --]

On Sat, Nov 14, 2009 at 01:33:13PM -0800, Tarmigan Casebolt <tarmigan+git@gmail.com> wrote:
> it for others to make a proper fix.  Looks like Miklos touched that line
> last, so perhaps he knows of a better fix.

I just added struct merge_options, the real change is commit a97e407
(Keep rename/rename conflicts of intermediate merges while doing
recursive merge, 2007-03-31), adding Alex to Cc.

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [PATCH] Check the format of more printf-type functions

[Alex Riesen]

On Sat, Nov 14, 2009 at 22:33, Tarmigan Casebolt <tarmigan+git@gmail.com> wrote:
> We already have these checks in many printf-type functions that have
> prototypes which are in header files.  Add these same checks to some
> more prototypes in header functions and to static functions in .c
> files.
>
> cc: Miklos Vajna <vmiklos@frugalware.org>
> Signed-off-by: Tarmigan Casebolt <tarmigan+git@gmail.com>
> ---
>
> Junio, please consider this for next.  It will hopefully catch some bugs like
> the Content-Length one in http-backend.c.
>
> One extra warning is
>    CC merge-recursive.o
> merge-recursive.c: In function ‘write_tree_from_memory’:
> merge-recursive.c:218: warning: field precision should have type ‘int’, but argument 5 has type ‘size_t’
>
> A fix that might work in practice (because pathnames won't be longer than
> an int?) is:
> --- a/merge-recursive.c
> +++ b/merge-recursive.c
> @@ -215,7 +215,9 @@ struct tree *write_tree_from_memory(struct merge_options *o)
>                for (i = 0; i < active_nr; i++) {
>                        struct cache_entry *ce = active_cache[i];
>                        if (ce_stage(ce))
> -                               output(o, 0, "%d %.*s", ce_stage(ce), ce_namelen(ce), ce->name);
> +                               output(o, 0, "%d %.*s", ce_stage(ce), (int)ce_namelen(ce), ce->name);

It'll do. The message is purely diagnostics.

> +                       if (ce_namelen(ce) > INT_MAX)
> +                               die("A filename was too long");

That's overdoing it a little.