Index: lib/libc/stdio/printf-pos.c
===================================================================
--- lib/libc/stdio/printf-pos.c
+++ lib/libc/stdio/printf-pos.c
@@ -44,6 +44,7 @@
 #include "namespace.h"
 #include <sys/types.h>
 
+#include <limits.h>
 #include <stdarg.h>
 #include <stddef.h>
 #include <stdint.h>
@@ -70,9 +71,9 @@
 struct typetable {
 	enum typeid *table; /* table of types */
 	enum typeid stattable[STATIC_ARG_TBL_SIZE];
-	int tablesize;		/* current size of type table */
-	int tablemax;		/* largest used index in table */
-	int nextarg;		/* 1-based argument index */
+	u_int tablesize;	/* current size of type table */
+	u_int tablemax;		/* largest used index in table */
+	u_int nextarg;		/* 1-based argument index */
 };
 
 static int	__grow_type_table(struct typetable *);
@@ -84,7 +85,7 @@
 static inline void
 inittypes(struct typetable *types)
 {
-	int n;
+	u_int n;
 
 	types->table = types->stattable;
 	types->tablesize = STATIC_ARG_TBL_SIZE;
@@ -185,7 +186,7 @@
 addaster(struct typetable *types, char **fmtp)
 {
 	char *cp;
-	int n2;
+	u_int n2;
 
 	n2 = 0;
 	cp = *fmtp;
@@ -194,7 +195,7 @@
 		cp++;
 	}
 	if (*cp == '$') {
-		int hold = types->nextarg;
+		u_int hold = types->nextarg;
 		types->nextarg = n2;
 		if (addtype(types, T_INT))
 			return (-1);
@@ -211,7 +212,7 @@
 addwaster(struct typetable *types, wchar_t **fmtp)
 {
 	wchar_t *cp;
-	int n2;
+	u_int n2;
 
 	n2 = 0;
 	cp = *fmtp;
@@ -220,7 +221,7 @@
 		cp++;
 	}
 	if (*cp == '$') {
-		int hold = types->nextarg;
+		u_int hold = types->nextarg;
 		types->nextarg = n2;
 		if (addtype(types, T_INT))
 			return (-1);
@@ -245,7 +246,7 @@
 {
 	char *fmt;		/* format string */
 	int ch;			/* character from fmt */
-	int n;			/* handy integer (short term usage) */
+	u_int n;		/* handy integer (short term usage) */
 	int error;
 	int flags;		/* flags as above */
 	struct typetable types;	/* table of types */
@@ -298,6 +299,11 @@
 				n = 10 * n + to_digit(ch);
 				ch = *fmt++;
 			} while (is_digit(ch));
+			/* Detect overflow */
+			if (n > NL_ARGMAX) {
+				error = -1;
+				goto error;
+			}
 			if (ch == '$') {
 				types.nextarg = n;
 				goto rflag;
@@ -433,7 +439,7 @@
 {
 	wchar_t *fmt;		/* format string */
 	wchar_t ch;		/* character from fmt */
-	int n;			/* handy integer (short term usage) */
+	u_int n;		/* handy integer (short term usage) */
 	int error;
 	int flags;		/* flags as above */
 	struct typetable types;	/* table of types */
@@ -486,6 +492,11 @@
 				n = 10 * n + to_digit(ch);
 				ch = *fmt++;
 			} while (is_digit(ch));
+			/* Detect overflow */
+			if (n > NL_ARGMAX) {
+				error = -1;
+				goto error;
+			}
 			if (ch == '$') {
 				types.nextarg = n;
 				goto rflag;
@@ -624,7 +635,11 @@
 	enum typeid *const oldtable = types->table;
 	const int oldsize = types->tablesize;
 	enum typeid *newtable;
-	int n, newsize = oldsize * 2;
+	u_int n, newsize = oldsize * 2;
+
+	/* Detect overflow */
+	if (types->nextarg > NL_ARGMAX)
+		return (-1);
 
 	if (newsize < types->nextarg + 1)
 		newsize = types->nextarg + 1;
@@ -653,7 +668,7 @@
 static void
 build_arg_table(struct typetable *types, va_list ap, union arg **argtable)
 {
-	int n;
+	u_int n;
 
 	if (types->tablemax >= STATIC_ARG_TBL_SIZE) {
 		*argtable = (union arg *)