summary refs log tree commit diff
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@gmail.com>2011-12-17 21:27:25 -0500
committerUlrich Drepper <drepper@gmail.com>2011-12-17 21:27:25 -0500
commita4647e727a2a52e1259474c13f4b13288938bed4 (patch)
tree7ba90ac2c88a39659951e43855a26d7b02af6596
parentf0b264f17458b2289a7354fb606fbdfca58826fb (diff)
downloadglibc-a4647e727a2a52e1259474c13f4b13288938bed4.tar.gz
glibc-a4647e727a2a52e1259474c13f4b13288938bed4.tar.xz
glibc-a4647e727a2a52e1259474c13f4b13288938bed4.zip
Fix extension of array in extended printf format handling
-rw-r--r--ChangeLog5
-rw-r--r--NEWS4
-rw-r--r--stdio-common/vfprintf.c13
3 files changed, 13 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index 3487990df0..2ddadd5a44 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-12-17  Ulrich Drepper  <drepper@gmail.com>
+
+	[BZ #13446]
+	* stdio-common/vfprintf.c (vfprintf): Fix extension of specs array.
+
 2011-11-22  Adhemerval Zanella  <azanella@linux.vnet.ibm.com>
 
 	* sysdeps/powerpc/Makefile: Added locale-defines.sym generation.
diff --git a/NEWS b/NEWS
index 0fe515d727..a0869ef08a 100644
--- a/NEWS
+++ b/NEWS
@@ -12,8 +12,8 @@ Version 2.15
   6779, 6783, 9696, 10103, 10709, 11589, 12403, 12847, 12868, 12852, 12874,
   12885, 12892, 12907, 12922, 12935, 13007, 13021, 13067, 13068, 13090,
   13092, 13114, 13118, 13123, 13134, 13138, 13147, 13150, 13179, 13192,
-  13268, 13276, 13291, 13335, 13337, 13344, 13358, 13367, 13472, 13484,
-  13506
+  13268, 13276, 13291, 13335, 13337, 13344, 13358, 13367, 13446, 13472,
+  13484, 13506
 
 * New program pldd to list loaded object of a process
   Implemented by Ulrich Drepper.
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 753a5ac150..952886b69e 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1640,9 +1640,9 @@ do_positional:
     /* Array with information about the needed arguments.  This has to
        be dynamically extensible.  */
     size_t nspecs = 0;
-    size_t nspecs_max = 32;	/* A more or less arbitrary start value.  */
-    struct printf_spec *specs
-      = alloca (nspecs_max * sizeof (struct printf_spec));
+    /* A more or less arbitrary start value.  */
+    size_t nspecs_size = 32 * sizeof (struct printf_spec);
+    struct printf_spec *specs = alloca (nspecs_size);
 
     /* The number of arguments the format string requests.  This will
        determine the size of the array needed to store the argument
@@ -1679,15 +1679,14 @@ do_positional:
 
     for (f = lead_str_end; *f != L_('\0'); f = specs[nspecs++].next_fmt)
       {
-	if (nspecs >= nspecs_max)
+	if (nspecs * sizeof (*specs) >= nspecs_size)
 	  {
 	    /* Extend the array of format specifiers.  */
 	    struct printf_spec *old = specs;
-	    specs = extend_alloca (specs, nspecs_max,
-				   2 * nspecs_max * sizeof (*specs));
+	    specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
 
 	    /* Copy the old array's elements to the new space.  */
-	    memmove (specs, old, nspecs * sizeof (struct printf_spec));
+	    memmove (specs, old, nspecs * sizeof (*specs));
 	  }
 
 	/* Parse the format specifier.  */