@CassieJade you need to look at the documentation of these functions online. printf, snpritf are pretty common functions. And by the way, this platform is not for school assignments. You are most welcome if you have tried something and want to follow from there.

  1. http://www.cplusplus.com/reference/cstdio/printf/
  2. http://www.cplusplus.com/reference/cstdio/snprintf/

The following explains beautifully about your concern of $. (GCC) Dollar sign in printf format string

Notation %2$d means the same as %d (output signed integer), except it formats the parameter with given 1-based number (in your case it's a second parameter, b).

int a = 3, b = 2;

printf("%2d", a, b);

Here you would expect 3 2 to be printed, but it will print 2 3, because the parameter a becomes param#1, and b becomes param#2, and %2$d is printed first so 2 is printed first followed by %1$d which is 3

You may want to look at man page of printf, its a bit complex for newbies but its the final source of truth.

The following is your print wrapper.

char buf[5012];
memcpy(buf, argv[1], 5012);
printWrapper(argv[1]);
return (0);

Your website says: When an attacker can modify an externally-controlled format string, this can lead to buffer overflows, denial of service, or data representation problems.

Now, if this argv1 can be provided by someone who is not trusted, he can provide any junk argument which will go to printf. The goal of your task is to not to feed on print() with any string that is externally controlled. e.g. argv1 can be very huge string (max allowable). Or for example I am the one invoking your program and I passed argv1 as "%d Hello World", your printWrapper will end up printing some junk like "-446798072 Hello World", because no integer is passed as argument in printf(argv1).

Also memcpy is reading fixed number of bytes from origin argv1 which can have shorter length string, in this case it will be an invalid read (read past bound).

snprintf(buf,128,argv[1]);

exploit here is very clear, the argv1 can be changed with containment of several specifiers like %n which can write n number of bytes to your buf rather than intended write. By using %X in argc1 hacker can gain address of a variable on stack which can be exploited further. All this is vulnerable because an external untrusted source is creating the format specifier string that is used by your printf or snprintf, sprintf functions. For example suppose hacker gave "%200d" in the argv1. sprintf(buf, 128, argv[1]); will land up printing 200 bytes and then a junk integer, which might not be intended at all, since its snprintf which is a bounded function it will allow only 128 bytes to be written which will be empty.

I hope it is clear now.

Answer from Yogesh on Stack Overflow
🌐
MITRE
cwe.mitre.org › data › definitions › 134.html
CWE - CWE-134: Use of Externally-Controlled Format String (4.20)
A community-developed list of SW & HW weaknesses that can become vulnerabilities
Top answer
1 of 1
1

@CassieJade you need to look at the documentation of these functions online. printf, snpritf are pretty common functions. And by the way, this platform is not for school assignments. You are most welcome if you have tried something and want to follow from there.

  1. http://www.cplusplus.com/reference/cstdio/printf/
  2. http://www.cplusplus.com/reference/cstdio/snprintf/

The following explains beautifully about your concern of $. (GCC) Dollar sign in printf format string

Notation %2$d means the same as %d (output signed integer), except it formats the parameter with given 1-based number (in your case it's a second parameter, b).

int a = 3, b = 2;

printf("%2d", a, b);

Here you would expect 3 2 to be printed, but it will print 2 3, because the parameter a becomes param#1, and b becomes param#2, and %2$d is printed first so 2 is printed first followed by %1$d which is 3

You may want to look at man page of printf, its a bit complex for newbies but its the final source of truth.

The following is your print wrapper.

char buf[5012];
memcpy(buf, argv[1], 5012);
printWrapper(argv[1]);
return (0);

Your website says: When an attacker can modify an externally-controlled format string, this can lead to buffer overflows, denial of service, or data representation problems.

Now, if this argv1 can be provided by someone who is not trusted, he can provide any junk argument which will go to printf. The goal of your task is to not to feed on print() with any string that is externally controlled. e.g. argv1 can be very huge string (max allowable). Or for example I am the one invoking your program and I passed argv1 as "%d Hello World", your printWrapper will end up printing some junk like "-446798072 Hello World", because no integer is passed as argument in printf(argv1).

Also memcpy is reading fixed number of bytes from origin argv1 which can have shorter length string, in this case it will be an invalid read (read past bound).

snprintf(buf,128,argv[1]);

exploit here is very clear, the argv1 can be changed with containment of several specifiers like %n which can write n number of bytes to your buf rather than intended write. By using %X in argc1 hacker can gain address of a variable on stack which can be exploited further. All this is vulnerable because an external untrusted source is creating the format specifier string that is used by your printf or snprintf, sprintf functions. For example suppose hacker gave "%200d" in the argv1. sprintf(buf, 128, argv[1]); will land up printing 200 bytes and then a junk integer, which might not be intended at all, since its snprintf which is a bounded function it will allow only 128 bytes to be written which will be empty.

I hope it is clear now.

🌐
CVE Details
cvedetails.com › cwe-details › 134 › Use-of-Externally-Controlled-Format-String.html
Use of Externally-Controlled Format String - CWE-134
The product uses a function that accepts a format string as an argument, but the format string originates from an external source. Created: 2006-07-19 Updated: 2025-12-11 Source: https://cwe.mitre.org/data/definitions/134.html ... An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character.
🌐
CVE Details
cvedetails.com › cwe-details › 134 › Uncontrolled-Format-String.html
CWE 134 Use of Externally-Controlled Format String
The product uses a function that accepts a format string as an argument, but the format string originates from an external source. Created: 2006-07-19 Updated: 2025-09-09 Source: https://cwe.mitre.org/data/definitions/134.html ... An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character.
🌐
Martellosecurity
martellosecurity.com › kb › mitre › cwe › 134
Use of Externally-Controlled Format String | Martello Security
By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.
🌐
MITRE
cwe.mitre.org › data › definitions › 134
CWE - CWE-134: Use of Externally-Controlled Format String (4.19.1)
A community-developed list of SW & HW weaknesses that can become vulnerabilities
🌐
CodeQL
codeql.github.com › codeql-query-help › java › java-tainted-format-string
Use of externally-controlled format string — CodeQL query help documentation
public class ResponseSplitting extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1); // User provided value String cardSecurityCode = request.getParameter("cardSecurityCode"); if (notValid(cardSecurityCode)) { /* * BAD: user provided value is included in the format string. * A malicious user could provide an extra format specifier, which causes an * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to * access the month or day of the expiration date.
🌐
CVEfeed
cvefeed.io › cwe › detail › cwe-134-use-of-externally-controlled-format-string
CWE-134: Use of Externally-Controlled Format String
only contained in library files that are only modifiable by the system administrator), then the external control might not itself pose a vulnerability. ... The following program prints a string provided as an argument. printf(string); char buf[5012];memcpy(buf, argv[1], 5012);printWrapper(argv[1]);return (0);#include <stdio.h>void printWrapper(char *string) {}int main(int argc, char **argv) {} The example is exploitable, because of the call to printf() in the printWrapper() function.
Find elsewhere
🌐
Cybersecurity Help
cybersecurity-help.cz › vdb › cwe › 134
CWE-134 - Use of Externally-Controlled Format String
Sometimes the control of external format strings is performed by the design. In case of format source safeness and reliability, there is no reason to worry about security of the system. The weakness is introduced during Implementation stage.  ... We use cookies to enhance your browsing ...
🌐
MathWorks
mathworks.com › polyspace bug finder › reviewing and reporting results › polyspace bug finder results › coding standards › common weakness enumeration (cwe)
CWE Rule 134 - Use of Externally-Controlled Format String - MATLAB
Pass a static string to format string functions. This fix ensures that an external actor cannot control the string. Another possible fix is to allow only the expected number of arguments. If possible, use functions that do not support the vulnerable %n operator in format strings.
🌐
Cyber Security News
cybersecurityupdate.net › home › cwe › cwe-134 – use of externally-controlled format string
CWE-134 - Use of Externally-Controlled Format String - Cyber Security News
May 26, 2022 - Description The software uses a function that accepts a format string as an argument, but the format string originates from an external source. Modes of Introduction: – Implementation Likelihood of Exploit: High Related Weaknesses CWE-668 CWE-668 CWE-123 CWE-20 Consequences Confidentiality: Read Memory Format string problems allow for information disclosure which can severely […]
🌐
PVS-Studio
pvs-studio.com › en › docs › warnings › v5631
V5631. OWASP. Use of externally-controlled format string. Potentially tainted data is used as a format string.
In the example, the format value is externally retrieved and passed to ApplyFormat, where it is directly used as the format in the string.Format method. Since no validation is performed on the number of the placeholders ({....}) in the string, there is a risk of mismatch with the arguments in args.
🌐
Acunetix
acunetix.com › vulnerabilities › web › uncontrolled-format-string
Uncontrolled format string - Vulnerabilities - Acunetix
This web application/server uses externally-controlled format strings in printf-style functions, which can lead to buffer overflows or data representation problems. Format string attacks alter the flow of an application by using string formatting library features to access other memory space.
🌐
Prisma Cloud
docs.prismacloud.io › en › enterprise-edition › policy-reference › sast-policies › java-policies › sast-policy-150
Use of externally-controlled format string
June 11, 2025 - Prisma Cloud Application Security offers a comprehensive scanning mechanism for detecting potential security issues that may arise in various aspects of software development. This documentation ...
🌐
Snyk
security.snyk.io › snyk vulnerability database › unmanaged (c/c++)
Use of Externally-Controlled Format String in fmtlib/fmt | CVE-2018-1000052 | Snyk
This attack appear to be exploitable via Specifying an invalid format specifier in the fmt::print() function results in a SIGSEGV (memory corruption, invalid write). This vulnerability appears to have been fixed in after commit 8cf30aa2be256eba07bb1cefb998c52326e846e7. ... The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet.
🌐
Snyk
security.snyk.io › snyk vulnerability database › linux › amzn
Use of Externally-Controlled Format String in ncurses | CVE-2017-10685 | Snyk
September 27, 2021 - In ncurses 6.0, there is a format string vulnerability in the fmt_entry function.
🌐
Grokipedia
grokipedia.com › uncontrolled format string
Uncontrolled format string — Grokipedia
January 14, 2026 - An uncontrolled format string ... sprintf(), or similar in languages like C and C++, enabling attackers to manipulate memory access and potentially execute arbitrary code.[1] This flaw occurs because format functions interpret ...
🌐
GitHub
github.com › Ericsson › secure_coding_one_stop_shop_for_python › blob › main › CWE-664 › CWE-134 › README.md
secure_coding_one_stop_shop_for_python/CWE-664/CWE-134/README.md at main · Ericsson/secure_coding_one_stop_shop_for_python
Ensure that all format string functions are passed a static string which cannot be controlled by the user [MITRE 2023] In Python, the use of string formatting combined with the ability to access a function's __globals__ attribute can exposing internal variables and methods unless properly guarded.
Author   Ericsson
🌐
Guardrails
docs.guardrails.io › vulnerability classes › processing of data › format string
Format String | GuardRails
A format string vulnerability is a type of software vulnerability that can occur in applications that use format strings to process user input. Format string vulnerabilities can be exploited by attackers to read or write arbitrary memory locations, execute arbitrary code, or cause the program to crash. The vulnerability occurs when a format string that is controlled by an attacker is passed to a function that processes it without proper validation or sanitization.
🌐
Snyk
security.snyk.io › snyk vulnerability database › linux › ubuntu
Use of Externally-Controlled Format String in sudo | CVE-2012-0809 | Snyk
August 5, 2022 - Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.