Comment 3 for bug 2011326

The C standard says that the input is an array of the specified size. So I think an application that does this triggers undefined behavior.

We could support this as an extension, by extending the end-of-address-space saturation logic introduced for the fortified variant in this commit:

commit 0d50f477f47ba637b54fb03ac48d769ec4543e8d
Author: Florian Weimer <email address hidden>
Date: Wed Jan 25 08:01:00 2023 +0100

    stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039)

The fortified case is different because the application does not specify the -1 buffer size in that case, so there's no application bug.