2004-09-17  Theodore A. Roth  <address@hidden>

	* libc/stdio/vfscanf.c (vfscanf): Fix a bounds error when scanning a
	'%d' which is followed by any of the characters of the ascii set
	between 'Z' and 'a'. [Fixes bug #10420]

Index: libc/stdio/vfscanf.c
===================================================================
RCS file: /cvsroot/avr-libc/avr-libc/libc/stdio/vfscanf.c,v
retrieving revision 1.1.2.3
diff -u -p -p -r1.1.2.3 vfscanf.c
--- libc/stdio/vfscanf.c	5 Apr 2004 18:35:00 -0000	1.1.2.3
+++ libc/stdio/vfscanf.c	17 Sep 2004 18:15:49 -0000
@@ -368,12 +368,17 @@ vfscanf(FILE *stream, const char *fmt, v
 				for (;;) {
 					j = tolower(i);
 					j -= '0';
-					if (j > 9)
-						j -= 'a' - '0' - 10;
-					if (j < 0 || j >= base) {
-						ungetc(i, stream);
-						break;
-					}
+					if (j > 9) {
+						j -= ('a' + '0' + 10);
+                        if (j < 10) {
+                            ungetc(i, stream);
+                            break;
+                        }
+                    }
+					if ((j < 0) || (j >= base)) {
+                        ungetc(i, stream);
+                        break;
+                    }
 					a.ul *= base;
 					a.ul += j;
 #if SCANF_LEVEL > SCANF_MIN