diff options
| author | Marcus Boerger <helly@php.net> | 2005-12-26 13:39:17 +0000 |
|---|---|---|
| committer | Marcus Boerger <helly@php.net> | 2005-12-26 13:39:17 +0000 |
| commit | 27986dbc88189d013def383ed11fadbfd96a2f04 (patch) | |
| tree | 12b10f310feea8b0d0f5a62ec4414f57cc9105c8 | |
| parent | ab24e8589392b71454ced2ef921007227b0320ea (diff) | |
| download | php-git-27986dbc88189d013def383ed11fadbfd96a2f04.tar.gz | |
- Fix memory corruption in s*printf() (see bug #27678)
| -rw-r--r-- | main/snprintf.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/main/snprintf.c b/main/snprintf.c index 6f5a3a7191..5eba393699 100644 --- a/main/snprintf.c +++ b/main/snprintf.c @@ -199,9 +199,14 @@ char * ap_php_conv_fp(register char format, register double num, *s++ = '.'; } } else { + int addz = decimal_point >= NDIG ? decimal_point - NDIG + 1 : 0; + decimal_point -= addz; while (decimal_point-- > 0) { *s++ = *p++; } + while (addz-- > 0) { + *s++ = '0'; + } if (precision > 0 || add_dp) { *s++ = '.'; } @@ -312,19 +317,21 @@ char * ap_php_cvt(double arg, int ndigits, int *decpt, int *sign, int eflag, cha * Do integer part */ if (fi != 0) { - p1 = &buf[NDIG]; while (fi != 0) { fj = modf(fi / 10, &fi); if (p1 <= &buf[0]) { mvl = NDIG - ndigits; - memmove(&buf[mvl], &buf[0], NDIG-mvl-1); + if (ndigits > 0) { + memmove(&buf[mvl], &buf[0], NDIG-mvl-1); + } p1 += mvl; } *--p1 = (int) ((fj + .03) * 10) + '0'; r2++; } - while (p1 < &buf[NDIG]) + while (p1 < &buf[NDIG]) { *p++ = *p1++; + } } else if (arg > 0) { while ((fj = arg * 10) < 1) { if (!eflag && (r2 * -1) < ndigits) { |