vfprintf: Fix memory with large width and precision [BZ #19931]

Free a previously allocated work buffer if it is not large enough.
author: Florian Weimer <fweimer@redhat.com> 2016-04-25 14:10:26 +0200
committer: Florian Weimer <fweimer@redhat.com> 2016-04-25 14:10:26 +0200
commit: fdcf1c9480342d9f5fc2d23f142d621bcb4d00a4 (patch)
tree: 1678f802177bb5f37a058e857a43da5363ab5d8e /stdio-common/vfprintf.c
parent: a5507dfa60a8b92ba52dadabea88e2b5d91da655 (diff)
download: glibc-fdcf1c9480342d9f5fc2d23f142d621bcb4d00a4.zip
glibc-fdcf1c9480342d9f5fc2d23f142d621bcb4d00a4.tar.gz
glibc-fdcf1c9480342d9f5fc2d23f142d621bcb4d00a4.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 6829d4d..f24020a 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1564,6 +1564,11 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
 	prec = 0;
       if (prec > width && prec > WORK_BUFFER_SIZE - 32)
 	{
+	  /* Deallocate any previously allocated buffer because it is
+	     too small.  */
+	  if (__glibc_unlikely (workstart != NULL))
+	    free (workstart);
+	  workstart = NULL;
 	  if (__glibc_unlikely (prec >= INT_MAX / sizeof (CHAR_T) - 32))
 	    {
 	      __set_errno (EOVERFLOW);
author	Florian Weimer <fweimer@redhat.com>	2016-04-25 14:10:26 +0200
committer	Florian Weimer <fweimer@redhat.com>	2016-04-25 14:10:26 +0200
commit	fdcf1c9480342d9f5fc2d23f142d621bcb4d00a4 (patch)
tree	1678f802177bb5f37a058e857a43da5363ab5d8e /stdio-common/vfprintf.c
parent	a5507dfa60a8b92ba52dadabea88e2b5d91da655 (diff)
download	glibc-fdcf1c9480342d9f5fc2d23f142d621bcb4d00a4.zip glibc-fdcf1c9480342d9f5fc2d23f142d621bcb4d00a4.tar.gz glibc-fdcf1c9480342d9f5fc2d23f142d621bcb4d00a4.tar.bz2