From: Ulrich Drepper Date: Sun, 18 Dec 2011 02:27:25 +0000 (-0500) Subject: Fix extension of array in extended printf format handling X-Git-Tag: glibc-2.15~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a4647e727a2a52e1259474c13f4b13288938bed4;p=thirdparty%2Fglibc.git Fix extension of array in extended printf format handling --- diff --git a/ChangeLog b/ChangeLog index 3487990df0b..2ddadd5a442 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2011-12-17 Ulrich Drepper + + [BZ #13446] + * stdio-common/vfprintf.c (vfprintf): Fix extension of specs array. + 2011-11-22 Adhemerval Zanella * sysdeps/powerpc/Makefile: Added locale-defines.sym generation. diff --git a/NEWS b/NEWS index 0fe515d7277..a0869ef08a4 100644 --- a/NEWS +++ b/NEWS @@ -12,8 +12,8 @@ Version 2.15 6779, 6783, 9696, 10103, 10709, 11589, 12403, 12847, 12868, 12852, 12874, 12885, 12892, 12907, 12922, 12935, 13007, 13021, 13067, 13068, 13090, 13092, 13114, 13118, 13123, 13134, 13138, 13147, 13150, 13179, 13192, - 13268, 13276, 13291, 13335, 13337, 13344, 13358, 13367, 13472, 13484, - 13506 + 13268, 13276, 13291, 13335, 13337, 13344, 13358, 13367, 13446, 13472, + 13484, 13506 * New program pldd to list loaded object of a process Implemented by Ulrich Drepper. diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c index 753a5ac1500..952886b69e7 100644 --- a/stdio-common/vfprintf.c +++ b/stdio-common/vfprintf.c @@ -1640,9 +1640,9 @@ do_positional: /* Array with information about the needed arguments. This has to be dynamically extensible. */ size_t nspecs = 0; - size_t nspecs_max = 32; /* A more or less arbitrary start value. */ - struct printf_spec *specs - = alloca (nspecs_max * sizeof (struct printf_spec)); + /* A more or less arbitrary start value. */ + size_t nspecs_size = 32 * sizeof (struct printf_spec); + struct printf_spec *specs = alloca (nspecs_size); /* The number of arguments the format string requests. This will determine the size of the array needed to store the argument @@ -1679,15 +1679,14 @@ do_positional: for (f = lead_str_end; *f != L_('\0'); f = specs[nspecs++].next_fmt) { - if (nspecs >= nspecs_max) + if (nspecs * sizeof (*specs) >= nspecs_size) { /* Extend the array of format specifiers. */ struct printf_spec *old = specs; - specs = extend_alloca (specs, nspecs_max, - 2 * nspecs_max * sizeof (*specs)); + specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); /* Copy the old array's elements to the new space. */ - memmove (specs, old, nspecs * sizeof (struct printf_spec)); + memmove (specs, old, nspecs * sizeof (*specs)); } /* Parse the format specifier. */