diff -rup a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c

--- a/stdio-common/vfprintf.c	2012-03-05 09:43:14.705536167 -0700

+++ b/stdio-common/vfprintf.c	2012-03-05 09:48:11.602890982 -0700

@@ -822,7 +822,7 @@ vfprintf (FILE *s, const CHAR_T *format,

 									      \

 	if (function_done < 0)						      \

 	  {								      \

-	    /* Error in print handler.  */				      \

+	    /* Error in print handler; up to handler to set errno.  */	      \

 	    done = -1;							      \

 	    goto all_done;						      \

 	  }								      \

@@ -876,7 +876,7 @@ vfprintf (FILE *s, const CHAR_T *format,

 									      \

 	if (function_done < 0)						      \

 	  {								      \

-	    /* Error in print handler.  */				      \

+	    /* Error in print handler; up to handler to set errno.  */	      \

 	    done = -1;							      \

 	    goto all_done;						      \

 	  }								      \

@@ -1117,7 +1117,7 @@ vfprintf (FILE *s, const CHAR_T *format,

 			 &mbstate);					      \

 	if (len == (size_t) -1)						      \

 	  {								      \

-	    /* Something went wron gduring the conversion.  Bail out.  */     \

+	    /* Something went wrong during the conversion.  Bail out.  */     \

 	    done = -1;							      \

 	    goto all_done;						      \

 	  }								      \

@@ -1188,6 +1188,7 @@ vfprintf (FILE *s, const CHAR_T *format,

 		      if (__mbsnrtowcs (ignore, &str2, strend - str2,	      \

 					ignore_size, &ps) == (size_t) -1)     \

 			{						      \

+			  /* Conversion function has set errno.  */	      \

 			  done = -1;					      \

 			  goto all_done;				      \

 			}						      \

@@ -1599,6 +1600,7 @@ vfprintf (FILE *s, const CHAR_T *format,

 	  if (spec == L_('\0'))

 	    {

 	      /* The format string ended before the specifier is complete.  */

+	      __set_errno (EINVAL);

 	      done = -1;

 	      goto all_done;

 	    }

@@ -1696,17 +1698,20 @@ do_positional:

     /* Determine the number of arguments the format string consumes.  */

     nargs = MAX (nargs, max_ref_arg);

+    /* Calculate total size needed to represent a single argument across

+       all three argument-related arrays.  */

     bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)

                     + sizeof (*args_type);

     /* Check for potential integer overflow.  */

-    if (nargs > SIZE_MAX / bytes_per_arg)

+    if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))

       {

+         __set_errno (ERANGE);

          done = -1;

          goto all_done;

       }

-    /* Allocate memory for the argument descriptions.  */

+    /* Allocate memory for all three argument arrays.  */

     if (__libc_use_alloca (nargs * bytes_per_arg))

         args_value = alloca (nargs * bytes_per_arg);

     else

@@ -1937,6 +1942,7 @@ do_positional:

 		       about # of chars.  */

 		    if (function_done < 0)

 		      {

+			/* Function has set errno.  */

 			done = -1;

 			goto all_done;

 		      }

@@ -1971,6 +1977,7 @@ do_positional:

 		 of chars.  */

 	      if (function_done < 0)

 		{

+		  /* Function has set errno.  */

 		  done = -1;

 		  goto all_done;

 		}