User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7) Gecko/20070615 Build Identifier: nspr-4.8.7 and also in http://mxr.mozilla.org/nspr/source/nsprpub/pr/src/io/prprf.c#335 cvt_f function use sprintf that may generates buffer overflow ( trapped afterward by PR_ASSERT if nspr is compiled with debug flag. plain stack overflow otherwise ... ) Marked nspr issue as minor since the root problem was that our application was wrongly sending user data as format rather than as a %s format parameter but the fact that PR_vsnprintf generated stack overflow while the provided buffer and size are correct is a bit unexcpeted. maybe cvt_f should use snprintf instead of sprintf ... Reproducible: Always Steps to Reproduce: 1. create test program: #include "nspr.h" main(int argc,char **argv) { PR_fprintf(PR_STDOUT,"%900g",0.0); return 0; } 2. compile it and run it with non debug version I got a SIGSEGV at address 0x202020202020202020 when returning from cvt_f with debug mode I get Assertion failure: strlen(fout) < sizeof(fout), at ../../../../pr/src/io/prprf.c:366 Abort(coredump) 3. Actual Results: with non debug build of nspr I got a SIGSEGV at address 0x202020202020202020 and a broken stack when returning from cvt_f with debug build I get Assertion failure: strlen(fout) < sizeof(fout), at ../../../../pr/src/io/prprf.c:366 Expected Results: ideally the formatting function should fail and return some error but it should not crash. And if it crashs (like with the PR_ABORT case) make sure it crash before breaking the stack and making the debugging quite painfull ! -;) maybe using snprintf instead of sprintf ?