[PHP-CVS] cvs: php-src /main snprintf.c

Mon, 26 Dec 2005 05:39:31 -0800 

helly           Mon Dec 26 13:39:17 2005 EDT

  Modified files:              
    /php-src/main       snprintf.c 
  Log:
  - Fix memory corruption in s*printf() (see bug #27678)
  
http://cvs.php.net/viewcvs.cgi/php-src/main/snprintf.c?r1=1.38&r2=1.39&diff_format=u
Index: php-src/main/snprintf.c
diff -u php-src/main/snprintf.c:1.38 php-src/main/snprintf.c:1.39
--- php-src/main/snprintf.c:1.38        Tue Nov  1 11:12:27 2005
+++ php-src/main/snprintf.c     Mon Dec 26 13:39:17 2005
@@ -16,7 +16,7 @@
   +----------------------------------------------------------------------+
 */
 
-/* $Id: snprintf.c,v 1.38 2005/11/01 11:12:27 helly Exp $ */
+/* $Id: snprintf.c,v 1.39 2005/12/26 13:39:17 helly Exp $ */
 
 /* ====================================================================
  * Copyright (c) 1995-1998 The Apache Group.  All rights reserved.
@@ -199,9 +199,14 @@
                                *s++ = '.';
                        }
                } else {
+                       int addz = decimal_point >= NDIG ? decimal_point - NDIG 
+ 1 : 0;
+                       decimal_point -= addz;
                        while (decimal_point-- > 0) {
                                *s++ = *p++;
                        }
+                       while (addz-- > 0) {
+                               *s++ = '0';
+                       }
                        if (precision > 0 || add_dp) {
                                *s++ = '.';
                        }
@@ -312,19 +317,21 @@
         * Do integer part
         */
        if (fi != 0) {
-               p1 = &buf[NDIG];
                while (fi != 0) {
                        fj = modf(fi / 10, &fi);
                        if (p1 <= &buf[0]) {
                                mvl = NDIG - ndigits;
-                               memmove(&buf[mvl], &buf[0], NDIG-mvl-1);
+                               if (ndigits > 0) {
+                                       memmove(&buf[mvl], &buf[0], NDIG-mvl-1);
+                               }
                                p1 += mvl;
                        }
                        *--p1 = (int) ((fj + .03) * 10) + '0';
                        r2++;
                }
-               while (p1 < &buf[NDIG])
+               while (p1 < &buf[NDIG]) {
                        *p++ = *p1++;
+               }
        } else if (arg > 0) {
                while ((fj = arg * 10) < 1) {
                        if (!eflag && (r2 * -1) < ndigits) {

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to