From: Rich Felker Date: Mon, 7 Apr 2014 05:36:40 +0000 (-0400) Subject: fix carry into uninitialized slots during printf floating point rounding X-Git-Tag: v1.1.0~18 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=109048e031f39fbb370211fde44ababf6c04c8fb;p=musl fix carry into uninitialized slots during printf floating point rounding in cases where rounding caused a carry, the slot into which the carry was taking place was unconditionally treated as valid, despite the possibility that it could be a new slot prior to the beginning of the existing non-rounded number. in theory this could lead to unbounded runaway carry, but in order for that to happen, the whole uninitialized buffer would need to have been pre-filled with 32-bit integer values greater than or equal to 999999999. patch based on proposed fix by Morten Welinder, who also discovered and reported the bug. --- diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c index 31c3d5dd..bec63ecf 100644 --- a/src/stdio/vfprintf.c +++ b/src/stdio/vfprintf.c @@ -356,9 +356,9 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t) *d = *d + i; while (*d > 999999999) { *d--=0; + if (d=i; i*=10, e++); } }