1 diff -rup a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
2 --- a/stdio-common/vfprintf.c 2012-03-05 09:43:14.705536167 -0700
3 +++ b/stdio-common/vfprintf.c 2012-03-05 09:48:11.602890982 -0700
4 @@ -822,7 +822,7 @@ vfprintf (FILE *s, const CHAR_T *format,
6 if (function_done < 0) \
8 - /* Error in print handler. */ \
9 + /* Error in print handler; up to handler to set errno. */ \
13 @@ -876,7 +876,7 @@ vfprintf (FILE *s, const CHAR_T *format,
15 if (function_done < 0) \
17 - /* Error in print handler. */ \
18 + /* Error in print handler; up to handler to set errno. */ \
22 @@ -1117,7 +1117,7 @@ vfprintf (FILE *s, const CHAR_T *format,
24 if (len == (size_t) -1) \
26 - /* Something went wron gduring the conversion. Bail out. */ \
27 + /* Something went wrong during the conversion. Bail out. */ \
31 @@ -1188,6 +1188,7 @@ vfprintf (FILE *s, const CHAR_T *format,
32 if (__mbsnrtowcs (ignore, &str2, strend - str2, \
33 ignore_size, &ps) == (size_t) -1) \
35 + /* Conversion function has set errno. */ \
39 @@ -1599,6 +1600,7 @@ vfprintf (FILE *s, const CHAR_T *format,
42 /* The format string ended before the specifier is complete. */
43 + __set_errno (EINVAL);
47 @@ -1696,17 +1698,20 @@ do_positional:
49 /* Determine the number of arguments the format string consumes. */
50 nargs = MAX (nargs, max_ref_arg);
51 + /* Calculate total size needed to represent a single argument across
52 + all three argument-related arrays. */
53 bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
54 + sizeof (*args_type);
56 /* Check for potential integer overflow. */
57 - if (nargs > SIZE_MAX / bytes_per_arg)
58 + if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
60 + __set_errno (ERANGE);
65 - /* Allocate memory for the argument descriptions. */
66 + /* Allocate memory for all three argument arrays. */
67 if (__libc_use_alloca (nargs * bytes_per_arg))
68 args_value = alloca (nargs * bytes_per_arg);
70 @@ -1937,6 +1942,7 @@ do_positional:
72 if (function_done < 0)
74 + /* Function has set errno. */
78 @@ -1971,6 +1977,7 @@ do_positional:
80 if (function_done < 0)
82 + /* Function has set errno. */