--- /dev/null
+commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9
+Author: Daniel Stenberg <daniel@haxx.se>
+Date: Tue Nov 8 15:32:37 2016 +0100
+
+ printf: fix floating point buffer overflow issues
+
+ ... and add a bunch of floating point printf tests
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-9586.patch
+dropped the tests as they require more changes to work.
+
+CVE: CVE-2016-9586
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: curl-7.50.1/lib/mprintf.c
+===================================================================
+--- curl-7.50.1.orig/lib/mprintf.c 2017-06-15 18:24:08.934720707 +0530
++++ curl-7.50.1/lib/mprintf.c 2017-06-15 18:24:09.318720721 +0530
+@@ -92,7 +92,8 @@
+ # define mp_uintmax_t unsigned long
+ #endif
+
+-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
++#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
++ fit negative DBL_MAX (317 letters) */
+ #define MAX_PARAMETERS 128 /* lame static limit */
+
+ #ifdef __AMIGA__
+@@ -910,12 +911,25 @@
+ *fptr = 0;
+
+ if(width >= 0) {
++ if(width >= (long)sizeof(work))
++ width = sizeof(work)-1;
+ /* RECURSIVE USAGE */
+ len = curl_msnprintf(fptr, left, "%ld", width);
+ fptr += len;
+ left -= len;
+ }
+ if(prec >= 0) {
++ /* for each digit in the integer part, we can have one less
++ precision */
++ size_t maxprec = sizeof(work) - 2;
++ double val = p->data.dnum;
++ while(val >= 10.0) {
++ val /= 10;
++ maxprec--;
++ }
++
++ if(prec > (long)maxprec)
++ prec = maxprec-1;
+ /* RECURSIVE USAGE */
+ len = curl_msnprintf(fptr, left, ".%ld", prec);
+ fptr += len;
+@@ -935,7 +949,9 @@
+ /* NOTE NOTE NOTE!! Not all sprintf implementations return number of
+ output characters */
+ (sprintf)(work, formatbuf, p->data.dnum);
+-
++#ifdef CURLDEBUG
++ assert(strlen(work) <= sizeof(work));
++#endif
+ for(fptr=work; *fptr; fptr++)
+ OUTCHAR(*fptr);
+ }
