The expected behavior is nothing gets written, since the size_t n argument
is 0. Whether *(&n) gets written to or not is ambiguous. The implied
behavior is that since it is only checking what the buffer length should be, by
the paragraph at line 31022, any %n is ignored since no output is occurring
for this be valid. The overflow happens in strtoi of the %s part, so I
would expect it to abort with EOVERFLOW when that's processed and not even get
to the %n, as an illegal format string. The standard leaves ambiguous
whether INT_MAX is assumed in this case, however, so an implementation that
does process the %n anyways might store INT_MAX. It should be explicit in that
paragraph, imo, %n isn't processed and the value pointed to left
unmodified.
In a message dated 5/22/2017 9:52:20 A.M. Eastern Daylight Time,
vincent-o...@vinc17.net writes:
I'm wondering what behavior is expected for the following program on
a machine with 32-bit int's and 64-bit long's:
#include <stdio.h>
int main(void)
{
long n = -1;
snprintf (NULL, 0, "%100000000000s%ln", "", &n);
printf ("%ld\n", n);
return 0;
}
i.e. in case of overflow on the return value (which occurs here since
snprintf should have returned 100000000000, but this value doesn't fit
in an int), what should the effect be?
If there is output to a file or a buffer, should this be done, and the
only effect of the overflow concerns the return value?
For the 'n' format specifier (as in the above program), are the
objects expected to be filled? If not, do they contain their old
values or are their contents unspecified?
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
