FYI, I've just reported the problem:
http://bugzilla.redhat.com/441945
http://thread.gmane.org/gmane.comp.lib.glibc.alpha/13288
Quick summary: given a small buffer, say "char b[10];" with the latest
upstream glibc, snprintf (b, sizeof b, fmt, 0) can fail, returning -1
with ENOMEM. The problem is that snprintf forms the expansion of each
directive in malloc'd storage, even when that expansion is much larger
than the target buffer. So for arguments of "%1000000d" and 0 it would
try to allocate space for 10^6+1 bytes and then write a million '0's
into that buffer, even though it needs only "sizeof b" of them.
Solaris 10 and FreeBSD6 get this right.
A slight variation, this is not supposed to return -1/ENOMEM, but does:
snprintf (NULL, 0, ...)
Since snprintf is as the core of gnulib's formatted printing code,
I'm thinking gnulib needs a full snprintf replacement. Can anyone see
an alternative? Or point to a good- and free-enough implementation?
