summaryrefslogtreecommitdiff
path: root/src/stdio/vfprintf.c
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2012-06-08 10:32:59 -0400
committerRich Felker <dalias@aerifal.cx>2012-06-08 10:32:59 -0400
commit6e9ff6a4cf4c6ab8f18e35934e33579c4caf2c3e (patch)
tree7f6a11d836b0b4fd878fabea1becd5cb7e8d77ff /src/stdio/vfprintf.c
parent1429ce9ba2425b8abeefc311d56db5efe801d9d2 (diff)
downloadmusl-6e9ff6a4cf4c6ab8f18e35934e33579c4caf2c3e.tar.gz
musl-6e9ff6a4cf4c6ab8f18e35934e33579c4caf2c3e.tar.bz2
musl-6e9ff6a4cf4c6ab8f18e35934e33579c4caf2c3e.tar.xz
musl-6e9ff6a4cf4c6ab8f18e35934e33579c4caf2c3e.zip
fix printf %ls with precision limit over-read issue
printf was not printing too many characters, but it was reading one too many wchar_t elements from the input. this could lead to crashes if running off the page, or spurious failure if the conversion of the extra wchar_t resulted in EILSEQ.
Diffstat (limited to 'src/stdio/vfprintf.c')
-rw-r--r--src/stdio/vfprintf.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c
index 91c6b93a..d593b330 100644
--- a/src/stdio/vfprintf.c
+++ b/src/stdio/vfprintf.c
@@ -599,12 +599,12 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
p = -1;
case 'S':
ws = arg.p;
- for (i=0; *ws && (l=wctomb(mb, *ws++))>=0 && l<=0U+p-i; i+=l);
+ for (i=l=0; i<p && *ws && (l=wctomb(mb, *ws++))>=0 && l<=0U+p-i; i+=l);
if (l<0) return -1;
p = i;
pad(f, ' ', w, p, fl);
ws = arg.p;
- for (i=0; *ws && i+(l=wctomb(mb, *ws++))<=p; i+=l)
+ for (i=0; i<p && *ws && i+(l=wctomb(mb, *ws++))<=p; i+=l)
out(f, mb, l);
pad(f, ' ', w, p, fl^LEFT_ADJ);
l = w>p ? w : p;