summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2014-03-09 01:38:52 -0500
committerRich Felker <dalias@aerifal.cx>2014-03-09 01:38:52 -0500
commitba231cf9e5923b6216081e9a626465c6643ce4d3 (patch)
treefa2e3c3b43d22efe22f5d4af24acd84504b826b0 /src
parent73f5b096056e03d8e27965040faee0af778517fc (diff)
downloadmusl-ba231cf9e5923b6216081e9a626465c6643ce4d3.tar.gz
musl-ba231cf9e5923b6216081e9a626465c6643ce4d3.tar.bz2
musl-ba231cf9e5923b6216081e9a626465c6643ce4d3.tar.xz
musl-ba231cf9e5923b6216081e9a626465c6643ce4d3.zip
fix buffer overflow in printf formatting of denormals with low bit set
empirically the overflow was an off-by-one, and it did not seem to be overwriting meaningful data. rather than simply increasing the buffer size by one, however, I have attempted to make the size obviously correct in terms of bounds on the number of iterations for the loops that fill the buffer. this still results in no more than a negligible size increase of the buffer on the stack (6-7 32-bit slots) and is a "safer" fix unless/until somebody wants to do the proof that a smaller buffer would suffice.
Diffstat (limited to 'src')
-rw-r--r--src/stdio/vfprintf.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c
index b5948bd2..85701726 100644
--- a/src/stdio/vfprintf.c
+++ b/src/stdio/vfprintf.c
@@ -207,7 +207,8 @@ typedef char compiler_defines_long_double_incorrectly[9-(int)sizeof(long double)
static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t)
{
- uint32_t big[(LDBL_MAX_EXP+LDBL_MANT_DIG)/9+1];
+ uint32_t big[(LDBL_MANT_DIG+28)/29 + 1 // mantissa expansion
+ + (LDBL_MAX_EXP+LDBL_MANT_DIG+28+8)/9]; // exponent expansion
uint32_t *a, *d, *r, *z;
int e2=0, e, i, j, l;
char buf[9+LDBL_MANT_DIG/4], *s;