From cac015e654dbb3ab538cb26486115c4c9b4fc210 Mon Sep 17 00:00:00 2001 From: Mikael Pettersson Date: Mon, 5 Feb 2018 21:41:07 +0100 Subject: Fix size of fmt_double()'s format_str[] buffer fmt_double() may write up to 8 characters into its format_str[] buffer, which however only has room for 7 characters. This case could be triggered by a call to erts_printf_format() with any floating-point format that also includes #, and + or a space, which may be uncommon, but a nif or driver could issue it. --- erts/lib_src/common/erl_printf_format.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/erts/lib_src/common/erl_printf_format.c b/erts/lib_src/common/erl_printf_format.c index 3302083288..5a680d6f9d 100644 --- a/erts/lib_src/common/erl_printf_format.c +++ b/erts/lib_src/common/erl_printf_format.c @@ -326,7 +326,7 @@ static int fmt_double(fmtfn_t fn,void*arg,double val, { int res; int fi = 0; - char format_str[7]; + char format_str[8]; char sbuf[32]; char *bufp = sbuf; double dexp; -- cgit v1.2.3