In stdio-common/printf_fp.c there are some locations (handling error situations) in function _printf_fp() where the deallocation of memory for wbuffer is not handled. E.g. the macros PADN() und outchar() return to caller without checking wbuffer. I'm not sure whether this is intentionally done or not. #define outchar(ch) \ do \ { \ register const int outc = (ch); \ if (putc (outc, fp) == EOF) \ return -1; \ ++done; \ } while (0) #define PADN(ch, len) \ do \ { \ if (PAD (fp, ch, len) != len) \ return -1; \ done += len; \ } \ while (0)
Those really seem to not get freed.
Should be fixed in CVS.
Flagging as security- because the resource leak does not seem to have been relevant in practice.