From: Rich Felker <dalias@aerifal.cx>
Date: Fri, 8 Jun 2012 14:32:59 +0000 (-0400)
Subject: fix printf %ls with precision limit over-read issue
X-Git-Url: http://nsz.repo.hu/git/?a=commitdiff_plain;h=6e9ff6a4cf4c6ab8f18e35934e33579c4caf2c3e;p=musl

fix printf %ls with precision limit over-read issue

printf was not printing too many characters, but it was reading one
too many wchar_t elements from the input. this could lead to crashes
if running off the page, or spurious failure if the conversion of the
extra wchar_t resulted in EILSEQ.
---

diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c
index 91c6b93a..d593b330 100644
--- a/src/stdio/vfprintf.c
+++ b/src/stdio/vfprintf.c
@@ -599,12 +599,12 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
 			p = -1;
 		case 'S':
 			ws = arg.p;
-			for (i=0; *ws && (l=wctomb(mb, *ws++))>=0 && l<=0U+p-i; i+=l);
+			for (i=l=0; i<p && *ws && (l=wctomb(mb, *ws++))>=0 && l<=0U+p-i; i+=l);
 			if (l<0) return -1;
 			p = i;
 			pad(f, ' ', w, p, fl);
 			ws = arg.p;
-			for (i=0; *ws && i+(l=wctomb(mb, *ws++))<=p; i+=l)
+			for (i=0; i<p && *ws && i+(l=wctomb(mb, *ws++))<=p; i+=l)
 				out(f, mb, l);
 			pad(f, ' ', w, p, fl^LEFT_ADJ);
 			l = w>p ? w : p;