[src/trunk]: src/usr.bin/man config() in manconf.c now verifies _build (and _...

[uwe <uwe%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/6ad6e0cc426e
branches:  trunk
changeset: 793506:6ad6e0cc426e
user:      uwe <uwe%NetBSD.org@localhost>
date:      Mon Feb 17 03:10:12 2014 +0000

description:
config() in manconf.c now verifies _build (and _crunch) command
templates with fmtcheck(3) so annotate the printf that uses these
commands as safe with a __format_arg wrapper and drop
-Wno-format-nonliteral.

XXX: Using local wrapper for now, solving this in general would be
nice, but it raises namespace pollution issues.

XXX^2: catman(8) also uses manconf.c and uses _build and _crunch so it
can also benefit from this (but see above).

diffstat:

 usr.bin/man/Makefile |   4 +---
 usr.bin/man/man.c    |  18 +++++++++++++++---
 2 files changed, 16 insertions(+), 6 deletions(-)

diffs (64 lines):

diff -r 4a26cb7a7419 -r 6ad6e0cc426e usr.bin/man/Makefile
--- a/usr.bin/man/Makefile      Mon Feb 17 02:53:48 2014 +0000
+++ b/usr.bin/man/Makefile      Mon Feb 17 03:10:12 2014 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.14 2013/07/19 04:17:02 uwe Exp $
+#      $NetBSD: Makefile,v 1.15 2014/02/17 03:10:12 uwe Exp $
 #      @(#)Makefile    8.1 (Berkeley) 6/6/93
 
 WARNS?=        6
@@ -7,8 +7,6 @@
 SRCS=  man.c manconf.c
 MAN=   man.1 man.conf.5
 
-COPTS.man.c += -Wno-format-nonliteral
-
 DPADD+=        ${LIBUTIL}
 LDADD+=        -lutil
 
diff -r 4a26cb7a7419 -r 6ad6e0cc426e usr.bin/man/man.c
--- a/usr.bin/man/man.c Mon Feb 17 02:53:48 2014 +0000
+++ b/usr.bin/man/man.c Mon Feb 17 03:10:12 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: man.c,v 1.60 2013/10/28 23:46:17 christos Exp $        */
+/*     $NetBSD: man.c,v 1.61 2014/02/17 03:10:12 uwe Exp $     */
 
 /*
  * Copyright (c) 1987, 1993, 1994, 1995
@@ -40,7 +40,7 @@
 #if 0
 static char sccsid[] = "@(#)man.c      8.17 (Berkeley) 1/31/95";
 #else
-__RCSID("$NetBSD: man.c,v 1.60 2013/10/28 23:46:17 christos Exp $");
+__RCSID("$NetBSD: man.c,v 1.61 2014/02/17 03:10:12 uwe Exp $");
 #endif
 #endif /* not lint */
 
@@ -714,6 +714,18 @@
        return anyfound;
 }
 
+/*
+ * A do-nothing counterpart to fmtcheck(3) that only supplies the
+ * __format_arg marker.  Actual fmtcheck(3) call is done once in
+ * config().
+ */
+__always_inline __format_arg(2)
+static inline const char *
+fmtcheck_ok(const char *userfmt, const char *template)
+{
+       return userfmt;
+}
+
 /* 
  * build_page --
  *     Build a man page for display.
@@ -788,7 +800,7 @@
                exit(EXIT_FAILURE);
        }
        (void)snprintf(buf, sizeof(buf), "%s > %s", fmt, tpath);
-       (void)snprintf(cmd, sizeof(cmd), buf, p);
+       (void)snprintf(cmd, sizeof(cmd), fmtcheck_ok(buf, "%s"), p);
        (void)system(cmd);
        (void)close(fd);
        if ((*pathp = strdup(tpath)) == NULL) {