Hi all,

I believe I have found an out of bounds memory read in vfprintf.c

On line 509 in src/stdio/vfprintf.c in the current source tree head, you
can observe the following snippet of code:

/* Format specifier state machine */
st=0;
do {
if (OOB(*s)) goto inval;
ps=st;
st=states[st]S(*s++);
} while (st-1<STOP);
if (!st) goto inval;

Note that on line 99 the OOB macro expands to the following test whether
the argument falls outside of 'A' and 'z', written to use a single compare:

#define OOB(x) ((unsigned)(x)-'A' > 'z'-'A')
Unfortunately, the cast to unsigned binds tighter than the subtract
from 'A', so if x is less than 'A',
OOB will return false. This is common in the case of space, which has
an ascii value of 32

compared to 'A' 's value of 65.

This causes us to index into states with a negative value for its
second dimension, causing us to
index to an unpredictable location in states, possibly even off the beginning.
Hope this helps,
Mark Winterrowd