The expected behavior is nothing gets written, since the size_t n argument is 0. Whether *(&n) gets written to or not is ambiguous. The implied behavior is that since it is only checking what the buffer length should be, by the paragraph at line 31022, any %n is ignored since no output is occurring for this be valid. The overflow happens in strtoi of the %s part, so I would expect it to abort with EOVERFLOW when that's processed and not even get to the %n, as an illegal format string. The standard leaves ambiguous whether INT_MAX is assumed in this case, however, so an implementation that does process the %n anyways might store INT_MAX. It should be explicit in that paragraph, imo, %n isn't processed and the value pointed to left unmodified. In a message dated 5/22/2017 9:52:20 A.M. Eastern Daylight Time, vincent-o...@vinc17.net writes:
I'm wondering what behavior is expected for the following program on a machine with 32-bit int's and 64-bit long's: #include <stdio.h> int main(void) { long n = -1; snprintf (NULL, 0, "%100000000000s%ln", "", &n); printf ("%ld\n", n); return 0; } i.e. in case of overflow on the return value (which occurs here since snprintf should have returned 100000000000, but this value doesn't fit in an int), what should the effect be? If there is output to a file or a buffer, should this be done, and the only effect of the overflow concerns the return value? For the 'n' format specifier (as in the above program), are the objects expected to be filled? If not, do they contain their old values or are their contents unspecified? -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)