2022-08-03         Arnold D. Robbins     <arnold@skeeve.com>

	* builtin.c (format_tree): When collecting positional field widths or
	precisions, check for wrap around to negative values. Thanks to
	YU Jiongchi <jcyu.2022@phdcs.smu.edu.sg> for the report.

diff --git a/builtin.c b/builtin.c
index 21125453..b92db992 100644
--- a/builtin.c
+++ b/builtin.c
@@ -1030,7 +1030,10 @@ check_pos:
 					s1++;
 					n0--;
 				}
-				if (val >= num_args) {
+				// val could be less than zero if someone provides a field width
+				// so large that it causes integer overflow. Mainly fuzzers do this,
+				// but let's try to be good anyway.
+				if (val < 0 || val >= num_args) {
 					toofew = true;
 					break;
 				}
-- 
2.41.0