CXX.FUNC.CSTRING.FORMAT

CString cannot call CString.Format() on itself.

The call will fail if the CString object itself is offered as a parameter.

Vulnerability and risk

This can then lead to unpredictable results.

Mitigation and prevention

Use an intermediate temporary CString to avoid the issue.

Example

1
2
CString str = "Some Data";
str.Format("%s%d", str, 123);

CString str is also used in the parameter list.