diff options
| author | Rich Felker <dalias@aerifal.cx> | 2014-04-07 01:36:40 -0400 |
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2014-04-07 01:36:40 -0400 |
| commit | 109048e031f39fbb370211fde44ababf6c04c8fb (patch) | |
| tree | 7974ab603f1c7e6aa3bc081202ac530b7fa5ad82 /src/stdio | |
| parent | 7e8b0761e57266f40b8d51105b84c50e504e89c5 (diff) | |
| download | musl-109048e031f39fbb370211fde44ababf6c04c8fb.tar.gz musl-109048e031f39fbb370211fde44ababf6c04c8fb.tar.xz musl-109048e031f39fbb370211fde44ababf6c04c8fb.zip | |
fix carry into uninitialized slots during printf floating point rounding
in cases where rounding caused a carry, the slot into which the carry was taking place was unconditionally treated as valid, despite the possibility that it could be a new slot prior to the beginning of the existing non-rounded number. in theory this could lead to unbounded runaway carry, but in order for that to happen, the whole uninitialized buffer would need to have been pre-filled with 32-bit integer values greater than or equal to 999999999. patch based on proposed fix by Morten Welinder, who also discovered and reported the bug.
Diffstat (limited to 'src/stdio')
| -rw-r--r-- | src/stdio/vfprintf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c index 31c3d5dd..bec63ecf 100644 --- a/src/stdio/vfprintf.c +++ b/src/stdio/vfprintf.c @@ -356,9 +356,9 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t) *d = *d + i; while (*d > 999999999) { *d--=0; + if (d<a) *--a=0; (*d)++; } - if (d<a) a=d; for (i=10, e=9*(r-a); *a>=i; i*=10, e++); } } |