Develop Reference

Format string vulnerability in C (how does stack behave in this case?) [duplicate]

I've seen the following line in a source code written in C:
printf("%2$d %1$d", a, b);
What does it mean?

It's an extension to the language added by POSIX (C11-compliant behaviour should be as described in an answer by #chux). Notation %2$d means the same as %d (output signed integer), except it formats the parameter with given 1-based number (in your case it's a second parameter, b).
So, when you run the following code:
#include <stdio.h>
int main() {
int a = 3, b = 2;
printf("%2$d %1$d", a, b);
return 0;
}
you'll get 2 3 in standard output.
More info can be found on printf man pages.

Per the C spec C11dr 7.21.6.1
As part of a print format, the first % in "%2$d %1$d" introduces a directive. This directive may have various flags, width, precision, length modifier and finally a conversion specifier. In this case 2 is a width. The next character $ is neither a precision, length modifier nor conversion specifier. Thus since the conversion specification is invalid,
... the behavior is undefined. C11dr 7.21.6.1 9
The C spec discusses future library directions. Lower case letters may be added in the future and other characters may be used in extensions. Of course $ is not a lower case letter, so that is good for the future. It certainly fits the "other character" role as $ is not even part of the C character set.
In various *nix implementations, $ is used as describe in Linux Programmer's Manual PRINTF(3). The $, along with the preceding integer defines the argument index of the width.

Printf format string maximum width value (padding) %(??)d%n

What is the maximum width value I can put in the %d format specifier? For example:
int c=0;
printf("%1234567899d%n",0,&c);
printf("%d",c);
When I use large values the written value of c is 0. Why is that?

Although it's not stated explicitly, the type of the field width is most likely an int. This is because if the field width is given as * then an int argument is expected.
Section 7.21.6.1p5 of the C standard regarding the fprintf function (any by extension printf) states the following regarding field witdh:
As noted above, a field width, or precision, or both, may be indicated
by an asterisk. In this case, an int argument supplies the
field width or precision. The arguments specifying field
width, or precision, or both, shall appear (in that order)
before the argument (if any) to be converted. A negative
field width argument is taken as a - flag followed by a
positive field width. A neg ative precision argument is
taken as if the precision were omitted.
I tested this on CentOS 7 and Ubuntu 18, and the largest width I could specify was 2147483614 which is 33 less than the max value for a signed 32 bit int. If I use anything larger the first printf prints nothing and c remains 0.
Go generally speaking, the largest value you can expect for c would be INT_MAX, however the exact value will vary based on the implementation.

What is the maximum width value I can put in the %d format specifier?
The limit may be as small as 4095.
Aside from issues with specifying a width outside the positive int range, long output can incur environmental limits.
Environmental limits (fprintf)
The number of characters that can be produced by any single conversion shall be at least 4095. C17dr § 7.21.6.1 15
As I see this, an attempt to "%(some large value)d" print more than 4K (or some greater implementation limit) characters is UB.
Also for output to a text file:
Environmental limits
An implementation shall support text files with lines containing at least 254 characters, including the terminating new-line character. The value of the macro BUFSIZ shall be at least 256. C17dr § 7.21.2 9
Although stdout with printf() is not a file, with re-directed output and freopen(), printf() may be subject to the above constraint.
Then printing an int with many digits can form a line exceeding 254 and some weak file system may not handle long lines.
Such a small 254 limit for a line length I have never seen, so I only include it as a reference, yet do not see it as a modern true limitation.

How can I print "%#s" where # represent the spaces, but this spaces amount have to change depending on the input? [duplicate]

In order to determine the size of the column in C language we use %<number>d.
For instance, I can type %3d and it will give me a column of width=3.
My problem is that my number after the % is a variable that I receive, so I need something like %xd (where x is the integer variable I received sometime before in my program).
But it's not working.
Is there any other way to do this?

You can do this as follows:
printf("%*d", width, value);
From Lee's comment:
You can also use a * for the precision:
printf("%*.*f", width, precision, value);
Note that both width and precision must have type int as expected by printf for the * arguments, type size_t is inappropriate as it may have a different size and representation on the target platform.

Just for completeness, wanted to mention that with POSIX-compliant versions of printf() you can also put the actual field width (or precision) value somewhere else in the parameter list and refer to it using the 1-based parameter number followed by a dollar sign:
A field width or precision, or both, may be indicated by an asterisk ‘∗’ or an asterisk followed by one or more decimal digits and a ‘$’ instead of a digit string. In this case, an int argument supplies the field width or precision. A negative field width is treated as a left adjustment flag followed by a positive field width; a negative precision is treated as though it were missing. If a single format directive mixes positional (nn$) and non-positional arguments, the results are undefined.
E.g., printf ( "%1$*d", width, value );

About printf format string in C

Let's take the following program:
#include <stdio.h>
int main()
{
long t =57 ;
printf("[%+03ld]", t);
}
and it's output:
[+57]
I am somehow confused: I told him to pad the output to width 3 (03ld), with zeroes, however it seems that if I force the output to put a plus sign before the number (+) it will not add the required zeroes if the length of the number is already 2 digits (as in 57). For numbers <10 it pads with 1 zero.
From http://www.cplusplus.com/reference/cstdio/printf/
(0) -> Left-pads the number with zeroes (0) instead of spaces when padding is specified (see width sub-specifier).
(+) -> Forces to preceed the result with a plus or minus sign (+ or -) even for positive numbers. By default, only negative numbers are preceded with a - sign.
(width) -> Minimum number of characters to be printed. If the value to be printed is shorter than this number, the result is padded with blank spaces. The value is not truncated even if the result is larger.
So I just need a clarification ... The (width) specifier from the quote above refers to the full length of the output string (ie: the characters that will be printed) controlled by this format specifier ("%+03ld") or the full length of the characters of the number that is going to be printed?

Yes, the width specifier refers to the width of the entire formatted result, +57 in your case. This makes it useful for printing columnar text for easy reading on screen (important if you're using C to write an old-school text utility!).

C standard is rather precise that converted value is taken a whole. From C11 §7.21.6/2 (emphasis mine):
The fprintf function writes output to the stream pointed to by stream,
under control of the string pointed to by format that specifies how
subsequent arguments are converted for output.
along with §7.21.6/4:
An optional minimum field width. If the converted value has fewer
characters than the field width, it is padded with spaces (by default)
on the left (or right, if the left adjustment flag, described later,
has been given) to the field width. The field width
takes the form of an asterisk * (described later) or a nonnegative decimal integer.

As you quoted "Minimum number of characters to be printed.", so "+" is just another character for printf. Btw the zeros "0" are just characters aswell and have nothing to do with numbers. It could be any character.

Yes, the field width refers to the complete, converted value including decimal dots, signs etc.

You asked for a 3 characters length format and get 3 characters +57. If you want the 0 to be present, just use printf("[%+04ld]", t); and you'll get +057.

Set variable text column width in printf

In order to determine the size of the column in C language we use %<number>d.
For instance, I can type %3d and it will give me a column of width=3.
My problem is that my number after the % is a variable that I receive, so I need something like %xd (where x is the integer variable I received sometime before in my program).
But it's not working.
Is there any other way to do this?

You can do this as follows:
printf("%*d", width, value);
From Lee's comment:
You can also use a * for the precision:
printf("%*.*f", width, precision, value);
Note that both width and precision must have type int as expected by printf for the * arguments, type size_t is inappropriate as it may have a different size and representation on the target platform.

Just for completeness, wanted to mention that with POSIX-compliant versions of printf() you can also put the actual field width (or precision) value somewhere else in the parameter list and refer to it using the 1-based parameter number followed by a dollar sign:
A field width or precision, or both, may be indicated by an asterisk ‘∗’ or an asterisk followed by one or more decimal digits and a ‘$’ instead of a digit string. In this case, an int argument supplies the field width or precision. A negative field width is treated as a left adjustment flag followed by a positive field width; a negative precision is treated as though it were missing. If a single format directive mixes positional (nn$) and non-positional arguments, the results are undefined.
E.g., printf ( "%1$*d", width, value );