diff options
author | Rich Felker <dalias@aerifal.cx> | 2014-04-07 01:36:40 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2014-04-16 02:46:05 -0400 |
commit | ad0dfd04c2daf176235085c4e97f4d6ed3851654 (patch) | |
tree | ce69bb0689328810426b7be7ed89056c64019a1b | |
parent | d636714704aede6f662c593d3d2d94e8a126b645 (diff) | |
download | musl-ad0dfd04c2daf176235085c4e97f4d6ed3851654.tar.gz musl-ad0dfd04c2daf176235085c4e97f4d6ed3851654.tar.bz2 musl-ad0dfd04c2daf176235085c4e97f4d6ed3851654.tar.xz musl-ad0dfd04c2daf176235085c4e97f4d6ed3851654.zip |
fix carry into uninitialized slots during printf floating point rounding
in cases where rounding caused a carry, the slot into which the carry
was taking place was unconditionally treated as valid, despite the
possibility that it could be a new slot prior to the beginning of the
existing non-rounded number. in theory this could lead to unbounded
runaway carry, but in order for that to happen, the whole
uninitialized buffer would need to have been pre-filled with 32-bit
integer values greater than or equal to 999999999.
patch based on proposed fix by Morten Welinder, who also discovered
and reported the bug.
(cherry picked from commit 109048e031f39fbb370211fde44ababf6c04c8fb)
-rw-r--r-- | src/stdio/vfprintf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c index 31c3d5dd..bec63ecf 100644 --- a/src/stdio/vfprintf.c +++ b/src/stdio/vfprintf.c @@ -356,9 +356,9 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t) *d = *d + i; while (*d > 999999999) { *d--=0; + if (d<a) *--a=0; (*d)++; } - if (d<a) a=d; for (i=10, e=9*(r-a); *a>=i; i*=10, e++); } } |