From 27986dbc88189d013def383ed11fadbfd96a2f04 Mon Sep 17 00:00:00 2001
From: Marcus Boerger <helly@php.net>
Date: Mon, 26 Dec 2005 13:39:17 +0000
Subject: [PATCH] - Fix memory corruption in s*printf() (see bug #27678)

---
 main/snprintf.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/main/snprintf.c b/main/snprintf.c
index 6f5a3a7191..5eba393699 100644
--- a/main/snprintf.c
+++ b/main/snprintf.c
@@ -199,9 +199,14 @@ char * ap_php_conv_fp(register char format, register double num,
 				*s++ = '.';
 			}
 		} else {
+			int addz = decimal_point >= NDIG ? decimal_point - NDIG + 1 : 0;
+			decimal_point -= addz;
 			while (decimal_point-- > 0) {
 				*s++ = *p++;
 			}
+			while (addz-- > 0) {
+				*s++ = '0';
+			}
 			if (precision > 0 || add_dp) {
 				*s++ = '.';
 			}
@@ -312,19 +317,21 @@ char * ap_php_cvt(double arg, int ndigits, int *decpt, int *sign, int eflag, cha
 	 * Do integer part
 	 */
 	if (fi != 0) {
-		p1 = &buf[NDIG];
 		while (fi != 0) {
 			fj = modf(fi / 10, &fi);
 			if (p1 <= &buf[0]) {
 				mvl = NDIG - ndigits;
-				memmove(&buf[mvl], &buf[0], NDIG-mvl-1);
+				if (ndigits > 0) {
+					memmove(&buf[mvl], &buf[0], NDIG-mvl-1);
+				}
 				p1 += mvl;
 			}
 			*--p1 = (int) ((fj + .03) * 10) + '0';
 			r2++;
 		}
-		while (p1 < &buf[NDIG])
+		while (p1 < &buf[NDIG]) {
 			*p++ = *p1++;
+		}
 	} else if (arg > 0) {
 		while ((fj = arg * 10) < 1) {
 			if (!eflag && (r2 * -1) < ndigits) {
-- 
2.40.0