diff options
| author | Rich Felker <dalias@aerifal.cx> | 2014-04-07 01:36:40 -0400 |
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2014-04-16 02:46:05 -0400 |
| commit | ad0dfd04c2daf176235085c4e97f4d6ed3851654 (patch) | |
| tree | ce69bb0689328810426b7be7ed89056c64019a1b /src/stdio/vfprintf.c | |
| parent | d636714704aede6f662c593d3d2d94e8a126b645 (diff) | |
| download | musl-ad0dfd04c2daf176235085c4e97f4d6ed3851654.tar.gz musl-ad0dfd04c2daf176235085c4e97f4d6ed3851654.tar.xz musl-ad0dfd04c2daf176235085c4e97f4d6ed3851654.zip | |
fix carry into uninitialized slots during printf floating point rounding
in cases where rounding caused a carry, the slot into which the carry was taking place was unconditionally treated as valid, despite the possibility that it could be a new slot prior to the beginning of the existing non-rounded number. in theory this could lead to unbounded runaway carry, but in order for that to happen, the whole uninitialized buffer would need to have been pre-filled with 32-bit integer values greater than or equal to 999999999. patch based on proposed fix by Morten Welinder, who also discovered and reported the bug. (cherry picked from commit 109048e031f39fbb370211fde44ababf6c04c8fb)
Diffstat (limited to 'src/stdio/vfprintf.c')
| -rw-r--r-- | src/stdio/vfprintf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c index 31c3d5dd..bec63ecf 100644 --- a/src/stdio/vfprintf.c +++ b/src/stdio/vfprintf.c @@ -356,9 +356,9 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t) *d = *d + i; while (*d > 999999999) { *d--=0; + if (d<a) *--a=0; (*d)++; } - if (d<a) a=d; for (i=10, e=9*(r-a); *a>=i; i*=10, e++); } } |