mirror of
https://codeberg.org/ziglang/zig.git
synced 2026-05-03 16:22:55 +03:00
John Schmidt
adea9a1765
This commit fixes an out of bounds write that can occur when formatting certain float values. The write messes up the stack and causes incorrect results, segfaults, or nothing at all, depending on the optimization mode used. The `errol` function writes the digits of the float into `buffer` starting from index 1, leaving index 0 untouched, and returns `buffer[1..]` and the exponent. This is because `roundToPrecision` relies on index 0 being unused in case the rounding adds a digit (e.g rounding 999.99 to 1000.00). When this happens, pointer arithmetic is used [here](https://github.com/ziglang/zig/blob/0e6d2184cacf2dd1fad7508b2f9ae99d78763148/lib/std/fmt/errol.zig#L61-L65) to access index 0 and put the ones digit in the right place. However, `errol3u` contains two special cases: `errolInt` and `errolFixed`, which return from the function early. For these two special cases index 0 was never reserved, and the return value contains `buffer` instead of `buffer[1..]`. This causes the pointer arithmetic in `roundToPrecision` to write out of bounds, which in the case of `std.fmt.formatFloatDecimal` messes up the stack and causes undefined behavior. The fix is to move the slicing of `buffer` to `buffer[1..]` from `errol3u` to `errol` so that both the default and the special cases operate on the sliced buffer.