Format string bugs most commonly appear when a programmer wishes to print a string containing user supplied data. The programmer may mistakenly write printf(buffer) instead of printf("%s", buffer) . The first version interprets buffer as a format string, and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended. Consider the following short C program that has a local variable char array password which holds a password; the program asks the user for an integer and a string, then echoes out the user-provided string.
GM: You'd need incredible skill to win this pod race.
Qui-Gon: What, like a Cheddar monk?
GM: Jedi knight. Well, yes.
Qui-Gon: Easy! I teach the kid everything I know.
GM: Overnight? Besides, only one in a million people has Force sensitivity. The boy doesn't.
Qui-Gon: From those mini-chlorine things, right?
GM: Uh... Right.
Qui-Gon: I get out my first aid kit.
Anakin: What are you doing?
Qui-Gon: You're going to need better stats. I'm transferring some of my mini-chlorines to your blood.
Anakin: A blood transfusion? What?!
Qui-Gon: They'll multiply there and grant you lightning fast reflexes and skill points in driving.
Anakin: That's crazy!
Obi-Wan: No, he's right. Since the Force has a biochemical origin, it must be transferable with the midi-chlorians.
Obi-Wan: It all makes sense now. This is a hard science campaign, right? None of that wishy-washy in-born "psychic abilities" stuff?
GM: Uh, I guess...
GM: I'd better fill in a character sheet for the boy, then.
GM: What was his name again?