From 5e60d3a0c2c8725c323e5394d853f9fe12ce8587 Mon Sep 17 00:00:00 2001
From: Pip Cet <pipcet@protonmail.com>
Date: Mon, 27 Jan 2025 13:05:07 -0800
Subject: [PATCH] Fix buffer overflows in doprnt (bug#75900)

* src/doprnt.c (doprnt): Clear rest of buffer on multibyte overflow.
Always decrement bufsize when writing a byte.

(cherry picked from commit 0ed913cf46a8b07a39b065216272a7aa07123282)
---
 src/doprnt.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/doprnt.c b/src/doprnt.c
index 421c4f4d15f..d8403bedbe4 100644
--- a/src/doprnt.c
+++ b/src/doprnt.c
@@ -447,7 +447,8 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
 		  while (tem != 0);
 
 		  memcpy (bufptr, string, tem);
-		  bufptr[tem] = 0;
+		  while (tem < bufsize)
+		    bufptr[tem++] = 0;
 		  /* Trigger exit from the loop, but make sure we
 		     return to the caller a value which will indicate
 		     that the buffer was too small.  */
@@ -499,6 +500,7 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
 	    fmtchar = '\'';
 
 	  *bufptr++ = fmtchar;
+	  bufsize--;
 	  continue;
 	}
       else
@@ -524,7 +526,10 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
       else
 	{
 	  do
-	    *bufptr++ = *src++;
+	    {
+	      *bufptr++ = *src++;
+	      bufsize--;
+	    }
 	  while (--srclen != 0);
 	}
     }
-- 
2.39.5