Call __fortify_fatal if printf sees %n.

We've ignored %n for a long time, but that's dangerous too because it
makes it unclear whether the corresponding pointer argument should be
supplied or not.

Remove the ambiguity by just rejecting %n outright.

Bug: http://b/31832608
Test: ran tests
Change-Id: Ic046ad3436a30c6f8f580ea738bdcaeb01c858f8

1 files changed, 1 insertions, 19 deletions

diff --git a/libc/stdio/vfwprintf.cpp b/libc/stdio/vfwprintf.cpp
index 7a002025e..46b62333f 100644
--- a/libc/stdio/vfwprintf.cpp
+++ b/libc/stdio/vfwprintf.cpp
@@ -434,26 +434,8 @@ int FUNCTION_NAME(FILE* fp, const CHAR_TYPE* fmt0, va_list ap) {
           lead = expt;
         }
         break;
-#ifndef NO_PRINTF_PERCENT_N
       case 'n':
-        if (flags & LLONGINT)
-          *GETARG(long long*) = ret;
-        else if (flags & LONGINT)
-          *GETARG(long*) = ret;
-        else if (flags & SHORTINT)
-          *GETARG(short*) = ret;
-        else if (flags & CHARINT)
-          *GETARG(signed char*) = ret;
-        else if (flags & PTRINT)
-          *GETARG(ptrdiff_t*) = ret;
-        else if (flags & SIZEINT)
-          *GETARG(ssize_t*) = ret;
-        else if (flags & MAXINT)
-          *GETARG(intmax_t*) = ret;
-        else
-          *GETARG(int*) = ret;
-        continue; /* no output */
-#endif            /* NO_PRINTF_PERCENT_N */
+        __fortify_fatal("%%n not allowed on Android");
       case 'O':
         flags |= LONGINT;
         /*FALLTHROUGH*/