Hi£¬    I'm sorry for the incorrect format diff. I updated it.   As we discussed earlier, I made a patch to get nl_arg when we see '$' ranther than visit the format anyway. Could you please help me review it£¿ https://www.openwall.com/lists/musl/2023/05/06/1 https://www.openwall.com/lists/musl/2023/05/06/2 https://www.openwall.com/lists/musl/2023/05/06/3 https://www.openwall.com/lists/musl/2023/05/06/4 https://www.openwall.com/lists/musl/2023/05/06/5 https://www.openwall.com/lists/musl/2023/05/07/1 https://www.openwall.com/lists/musl/2023/05/07/2 --------------------------------- diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c old mode 100644 new mode 100755 index 9b961e7f..3294e23b --- a/src/stdio/vfprintf.c +++ b/src/stdio/vfprintf.c @@ -427,7 +427,7 @@ static int getint(char **s) { return i; } -static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, int *nl_type) +static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, int *nl_type, union arg* nl_arg_ptr) { char *a, *z, *s=(char *)fmt; unsigned l10n=0, fl; @@ -462,6 +462,12 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, if (l) continue; if (isdigit(s[1]) && s[2]=='$') { + if (nl_arg_ptr == NULL) { + nl_arg_ptr = nl_arg; + if (printf_core(0, fmt, ap, nl_arg, nl_type, nl_arg_ptr) < 0) { + return -1; + } + } l10n=1; argpos = s[1]-'0'; s+=3; @@ -477,6 +483,12 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, /* Read field width */ if (*s=='*') { if (isdigit(s[1]) && s[2]=='$') { + if (nl_arg_ptr == NULL) { + nl_arg_ptr = nl_arg; + if (printf_core(0, fmt, ap, nl_arg, nl_type, nl_arg_ptr) < 0) { + return -1; + } + } l10n=1; nl_type[s[1]-'0'] = INT; w = nl_arg[s[1]-'0'].i; @@ -491,6 +503,12 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, /* Read precision */ if (*s=='.' && s[1]=='*') { if (isdigit(s[2]) && s[3]=='$') { + if (nl_arg_ptr == NULL) { + nl_arg_ptr = nl_arg; + if (printf_core(0, fmt, ap, nl_arg, nl_type, nl_arg_ptr) < 0) { + return -1; + } + } nl_type[s[2]-'0'] = INT; p = nl_arg[s[2]-'0'].i; s+=4; @@ -659,16 +677,13 @@ int vfprintf(FILE *restrict f, const char *restrict fmt, va_list ap) va_list ap2; int nl_type[NL_ARGMAX+1] = {0}; union arg nl_arg[NL_ARGMAX+1]; + union arg* nl_arg_ptr = NULL; unsigned char internal_buf[80], *saved_buf = 0; int olderr; int ret; /* the copy allows passing va_list* even if va_list is an array */ va_copy(ap2, ap); - if (printf_core(0, fmt, &ap2, nl_arg, nl_type) < 0) { - va_end(ap2); - return -1; - } FLOCK(f); olderr = f->flags & F_ERR; @@ -680,7 +695,7 @@ int vfprintf(FILE *restrict f, const char *restrict fmt, va_list ap) f->wpos = f->wbase = f->wend = 0; } if (!f->wend && __towrite(f)) ret = -1; - else ret = printf_core(f, fmt, &ap2, nl_arg, nl_type); + else ret = printf_core(f, fmt, &ap2, nl_arg, nl_type, nl_arg_ptr); if (saved_buf) { f->write(f, 0, 0); if (!f->wpos) ret = -1;