Call __fortify_fatal if printf sees %n.
We've ignored %n for a long time, but that's dangerous too because it
makes it unclear whether the corresponding pointer argument should be
supplied or not.
Remove the ambiguity by just rejecting %n outright.
Bug: http://b/31832608
Test: ran tests
Change-Id: Ic046ad3436a30c6f8f580ea738bdcaeb01c858f8
diff --git a/libc/stdio/printf_common.h b/libc/stdio/printf_common.h
index 050120e..85c91de 100644
--- a/libc/stdio/printf_common.h
+++ b/libc/stdio/printf_common.h
@@ -499,24 +499,8 @@
else
ADDTYPE(T_DOUBLE);
break;
-#ifndef NO_PRINTF_PERCENT_N
case 'n':
- if (flags & LLONGINT)
- ADDTYPE(TP_LLONG);
- else if (flags & LONGINT)
- ADDTYPE(TP_LONG);
- else if (flags & SHORTINT)
- ADDTYPE(TP_SHORT);
- else if (flags & PTRINT)
- ADDTYPE(TP_PTRINT);
- else if (flags & SIZEINT)
- ADDTYPE(TP_SSIZEINT);
- else if (flags & MAXINT)
- ADDTYPE(TP_MAXINT);
- else
- ADDTYPE(TP_INT);
- continue; /* no output */
-#endif /* NO_PRINTF_PERCENT_N */
+ __fortify_fatal("%%n not allowed on Android");
case 'O':
flags |= LONGINT;
/*FALLTHROUGH*/