vfprintf: Fix memory with large width and precision [BZ #19931]

Free a previously allocated work buffer if it is not large enough.
2025-08-08 17:42:12 +03:00 · 2016-04-25 14:10:26 +02:00
parent a5507dfa60
commit fdcf1c9480
4 changed files with 134 additions and 5 deletions
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1564,6 +1564,11 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
 	prec = 0;
      if (prec > width && prec > WORK_BUFFER_SIZE - 32)
 	{
+	  /* Deallocate any previously allocated buffer because it is
+	     too small.  */
+	  if (__glibc_unlikely (workstart != NULL))
+	    free (workstart);
+	  workstart = NULL;
 	  if (__glibc_unlikely (prec >= INT_MAX / sizeof (CHAR_T) - 32))
 	    {
 	      __set_errno (EOVERFLOW);