mprintf: reject two kinds of precision for the same argument

An input like "%.*1$.9999d" would first use the precision taken as an
argument *and* then the precision specified in the string, which is
confusing and wrong. pass1 will now instead return error on this double
use.

Adjusted unit test 1398 to verify

Reported-by: Peter Goodman
Closes #9754

diff --git a/lib/mprintf.c b/lib/mprintf.c
index 24c1dd555e6ff046117acb4d3b7bb9830f862e05..8a7c17a7ffb067de650955a6218463969f50cba9 100644 (file)
--- a/lib/mprintf.c
+++ b/lib/mprintf.c
@@ -318,6 +318,11 @@ static int dprintf_Pass1(const char *format, struct va_stack *vto,
             flags |= FLAGS_PREC;
             precision = strtol(fmt, &fmt, 10);
           }
+          if((flags & (FLAGS_PREC | FLAGS_PRECPARAM)) ==
+             (FLAGS_PREC | FLAGS_PRECPARAM))
+            /* it is not permitted to use both kinds of precision for the same
+               argument */
+            return 1;
           break;
         case 'h':
           flags |= FLAGS_SHORT;

diff --git a/tests/unit/unit1398.c b/tests/unit/unit1398.c
index f68e43ecfa6448094c674d3f28eabcb589fd2abf..662e3bdbc257aadd4e5a79de42cfe8a9c201a119 100644 (file)
--- a/tests/unit/unit1398.c
+++ b/tests/unit/unit1398.c
@@ -89,4 +89,8 @@ rc = curl_msnprintf(output, 16, "%8d%8d", 1234, 5678);
 fail_unless(rc == 15, "return code should be 15");
 fail_unless(!strcmp(output, "    1234    567"), "wrong output");
 
+/* double precision */
+rc = curl_msnprintf(output, 24, "%.*1$.99d", 3, 5678);
+fail_unless(rc == 0, "return code should be 0");
+
 UNITTEST_STOP