Whatever Happened to sprintf(..., “%n”,...)?

You may have noticed that if your code calls functions in the sprintf family and the format template string uses the %n parameter, then it fails to run correctly after it is compiled with Visual Studio 2005. Why? Well, it's pretty simple, by default we disabled support for %n because it can be a security issue if arguments used by sprintf come from an attacker and are not validated correctly. It also turns out very few developers use %n.

%n means "write this number of characters written so far to the buffer at an address in the function argument list". If the attacker has a good deal of freedom when calling this function, then the attacker can essentially spray any value in memory.

If you must enable %n in your code, you need to call _set_printf_count_output.