From 146daa1d0a43883bfa22ddfbb571b3d649c6465e Mon Sep 17 00:00:00 2001
From: Greg King <gregdk@users.sf.net>
Date: Thu, 9 Jul 2015 14:46:28 -0400
Subject: [PATCH] Made some string output functions reject an invalid NULL
 buffer pointer.

---
 libsrc/common/vsnprintf.s | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/libsrc/common/vsnprintf.s b/libsrc/common/vsnprintf.s
index 94ad072ca..01bcd6406 100644
--- a/libsrc/common/vsnprintf.s
+++ b/libsrc/common/vsnprintf.s
@@ -86,9 +86,16 @@ L1:     dex
         sta     bufptr+0
         stx     bufptr+1
 
+; There must be a buffer if its size is non-zero.
+
+        bit     bufsize+1
+        bmi     L5
+        ora     bufptr+1
+        bze     L0              ; The pointer shouldn't be NULL
+
 ; Restore ap and call _printf
 
-        pla
+L5:     pla
         tax
         pla
         jsr     __printf
@@ -125,6 +132,11 @@ L4:     lda     ccount+0
 ; Bail out if size is too high.
 
 L9:     lda     #ERANGE
+        .byte   $2C             ;(bit $xxxx)
+
+; NULL buffer pointers usually are invalid.
+
+L0:     lda     #EINVAL
         jsr     __directerrno   ; Return -1
         jmp     incsp6          ; Drop parameters