From c01c245517b43fa3b983168197e7d05eef5f9828 Mon Sep 17 00:00:00 2001 From: Ulrich Drepper Date: Tue, 1 May 2007 04:11:51 +0000 Subject: [BZ #4438] 2007-04-30 Ulrich Drepper [BZ #4438] * stdio-common/vfprintf.c (process_string_arg): Don't overflow the stack for large precisions. --- stdio-common/vfprintf.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'stdio-common/vfprintf.c') diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c index 946551f2d6..31bc523025 100644 --- a/stdio-common/vfprintf.c +++ b/stdio-common/vfprintf.c @@ -1160,19 +1160,25 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) else \ { \ /* In case we have a multibyte character set the \ - situation is more compilcated. We must not copy \ + situation is more complicated. We must not copy \ bytes at the end which form an incomplete character. */\ - wchar_t ignore[prec]; \ + wchar_t ignore[1024]; \ const char *str2 = string; \ - mbstate_t ps; \ + const char *strend = string + prec; \ + if (strend < string) \ + strend = (const char *) UINTPTR_MAX; \ \ + mbstate_t ps; \ memset (&ps, '\0', sizeof (ps)); \ - if (__mbsnrtowcs (ignore, &str2, prec, prec, &ps) \ - == (size_t) -1) \ - { \ - done = -1; \ - goto all_done; \ - } \ + \ + while (str2 != NULL && str2 < strend) \ + if (__mbsnrtowcs (ignore, &str2, strend - str2, 1024, \ + &ps) == (size_t) -1) \ + { \ + done = -1; \ + goto all_done; \ + } \ + \ if (str2 == NULL) \ len = strlen (string); \ else \ -- cgit v1.2.1