summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2014-04-07 01:36:40 -0400
committerRich Felker <dalias@aerifal.cx>2014-04-16 02:46:05 -0400
commitad0dfd04c2daf176235085c4e97f4d6ed3851654 (patch)
treece69bb0689328810426b7be7ed89056c64019a1b
parentd636714704aede6f662c593d3d2d94e8a126b645 (diff)
downloadmusl-ad0dfd04c2daf176235085c4e97f4d6ed3851654.tar.gz
fix carry into uninitialized slots during printf floating point rounding
in cases where rounding caused a carry, the slot into which the carry was taking place was unconditionally treated as valid, despite the possibility that it could be a new slot prior to the beginning of the existing non-rounded number. in theory this could lead to unbounded runaway carry, but in order for that to happen, the whole uninitialized buffer would need to have been pre-filled with 32-bit integer values greater than or equal to 999999999. patch based on proposed fix by Morten Welinder, who also discovered and reported the bug. (cherry picked from commit 109048e031f39fbb370211fde44ababf6c04c8fb)
-rw-r--r--src/stdio/vfprintf.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c
index 31c3d5dd..bec63ecf 100644
--- a/src/stdio/vfprintf.c
+++ b/src/stdio/vfprintf.c
@@ -356,9 +356,9 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t)
*d = *d + i;
while (*d > 999999999) {
*d--=0;
+ if (d<a) *--a=0;
(*d)++;
}
- if (d<a) a=d;
for (i=10, e=9*(r-a); *a>=i; i*=10, e++);
}
}