From fdcf1c9480342d9f5fc2d23f142d621bcb4d00a4 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 25 Apr 2016 14:10:26 +0200 Subject: vfprintf: Fix memory with large width and precision [BZ #19931] Free a previously allocated work buffer if it is not large enough. --- stdio-common/vfprintf.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'stdio-common/vfprintf.c') diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c index 6829d4dc8e..f24020a585 100644 --- a/stdio-common/vfprintf.c +++ b/stdio-common/vfprintf.c @@ -1564,6 +1564,11 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) prec = 0; if (prec > width && prec > WORK_BUFFER_SIZE - 32) { + /* Deallocate any previously allocated buffer because it is + too small. */ + if (__glibc_unlikely (workstart != NULL)) + free (workstart); + workstart = NULL; if (__glibc_unlikely (prec >= INT_MAX / sizeof (CHAR_T) - 32)) { __set_errno (EOVERFLOW); -- cgit v1.2.1