@@ -170,10 +170,20 @@ int mp_format_float(FPTYPE f, char *buf, size_t buf_size, char fmt, int prec, ch
170170
171171 if (fp_iszero (f )) {
172172 e = 0 ;
173- if (fmt == 'e' ) {
174- e_sign = '+' ;
175- } else if (fmt == 'f' ) {
173+ if (fmt == 'f' ) {
174+ // Truncate precision to prevent buffer overflow
175+ if (prec + 2 > buf_remaining ) {
176+ prec = buf_remaining - 2 ;
177+ }
176178 num_digits = prec + 1 ;
179+ } else {
180+ // Truncate precision to prevent buffer overflow
181+ if (prec + 6 > buf_remaining ) {
182+ prec = buf_remaining - 6 ;
183+ }
184+ if (fmt == 'e' ) {
185+ e_sign = '+' ;
186+ }
177187 }
178188 } else if (fp_isless1 (f )) {
179189 // We need to figure out what an integer digit will be used
@@ -275,6 +285,12 @@ int mp_format_float(FPTYPE f, char *buf, size_t buf_size, char fmt, int prec, ch
275285 if (fmt == 'e' && prec > (buf_remaining - FPMIN_BUF_SIZE )) {
276286 prec = buf_remaining - FPMIN_BUF_SIZE ;
277287 }
288+ if (fmt == 'g' ){
289+ // Truncate precision to prevent buffer overflow
290+ if (prec + (FPMIN_BUF_SIZE - 1 ) > buf_remaining ) {
291+ prec = buf_remaining - (FPMIN_BUF_SIZE - 1 );
292+ }
293+ }
278294 // If the user specified 'g' format, and e is < prec, then we'll switch
279295 // to the fixed format.
280296
@@ -378,6 +394,9 @@ int mp_format_float(FPTYPE f, char *buf, size_t buf_size, char fmt, int prec, ch
378394 }
379395 }
380396
397+ // verify that we did not overrun the input buffer so far
398+ assert ((size_t )(s + 1 - buf ) <= buf_size );
399+
381400 if (org_fmt == 'g' && prec > 0 ) {
382401 // Remove trailing zeros and a trailing decimal point
383402 while (s [-1 ] == '0' ) {
0 commit comments