CodeQL queries 1.23
Each call to the
printf function, or a related function, should include
the number of arguments defined by the format. Passing the function more arguments than
required is harmless (although it may be indicative of other defects). However, passing
the function fewer arguments than are defined by the format can be a security vulnerability
since the function will process the next item on the stack as the missing arguments.
This might lead to an information leak if a sensitive value from the stack is printed. It might cause a crash if a value on the stack is interpreted as a pointer and leads to accessing unmapped memory. Finally, it may lead to a follow-on vulnerability if an attacker can use this problem to cause the output string to be too long or have unexpected contents.
Review the format and arguments expected by the highlighted function calls. Update either the format or the arguments so that the expected number of arguments are passed to the function.