[PATCH] ntoab: Fix buffer underflow with large integer.

[Michael Forney]

With base == 8, -2^63 is converted as -1000000000000000000000, which
is 24 bytes long (including terminating nul), so we need at least
this much space in the __itoa_buf.

* lib/mes/ntoab.c (ntoab): Allocate enough space for longest string,
  and update assert with lowest possible base. Don't decrement
  pointer below start of buffer, even temporarily.
---
 lib/mes/ntoab.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/lib/mes/ntoab.c b/lib/mes/ntoab.c
index c8827503..acdeb8db 100644
--- a/lib/mes/ntoab.c
+++ b/lib/mes/ntoab.c
@@ -50,12 +50,10 @@ char *
 ntoab (long x, unsigned base, int signed_p)
 {
   if (__itoa_buf == 0)
-    __itoa_buf = malloc (20);
-  char *p = __itoa_buf + 11;
+    __itoa_buf = malloc (24);
+  char *p = __itoa_buf + 23;
 
-  p[0] = 0;
-  p = p - 1;
-  assert_msg (base > 0, "base > 0");
+  assert_msg (base >= 8, "base >= 8");
 
   int sign_p = 0;
   size_t i;
@@ -71,22 +69,23 @@ ntoab (long x, unsigned base, int signed_p)
   else
     u = x;
 
+  p[0] = 0;
   do
     {
+      p = p - 1;
       u = __mesabi_uldiv (u, b, &i);
       if (i > 9)
         p[0] = 'a' + i - 10;
       else
         p[0] = '0' + i;
-      p = p - 1;
     }
   while (u != 0);
 
-  if (sign_p && p[1] != '0')
+  if (sign_p && p[0] != '0')
     {
-      p[0] = '-';
       p = p - 1;
+      p[0] = '-';
     }
 
-  return p + 1;
+  return p;
 }
-- 
2.44.0