From: Mike Pall <mike>
Date: Thu, 25 Jan 2024 13:23:48 +0100
Subject: Fix zero stripping in %g number formatting.

Reported by pwnhacker0x18. #1149

Origin: https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc
Bug: https://github.com/LuaJIT/LuaJIT/issues/1149
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-25176
---
 src/lj_strfmt_num.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
index 3c60695..4121489 100644
--- a/src/lj_strfmt_num.c
+++ b/src/lj_strfmt_num.c
@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
 	    prec--;
 	    if (!i) {
 	      if (ndlo == ndhi) { prec = 0; break; }
-	      lj_strfmt_wuint9(tail, nd[++ndlo]);
+	      ndlo = (ndlo + 1) & 0x3f;
+	      lj_strfmt_wuint9(tail, nd[ndlo]);
 	      i = 9;
 	    }
 	  }