fix wide printf numbered argument buffer overflow

The nl_type and nl_arg arrays defined in vfwprintf may be accessed
with an index up to and including NL_ARGMAX, but they are only of size
NL_ARGMAX, meaning they may be written to or read from 1 element too
far.

diff --git a/src/stdio/vfwprintf.c b/src/stdio/vfwprintf.c
index 1878411..5369770 100644 (file)
--- a/src/stdio/vfwprintf.c
+++ b/src/stdio/vfwprintf.c
@@ -347,8 +347,8 @@ overflow:
 int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap)
 {
        va_list ap2;
-       int nl_type[NL_ARGMAX] = {0};
-       union arg nl_arg[NL_ARGMAX];
+       int nl_type[NL_ARGMAX+1] = {0};
+       union arg nl_arg[NL_ARGMAX+1];
        int olderr;
        int ret;