Index: strfmon_l.c
===================================================================
--- strfmon_l.c	(revision 80)
+++ strfmon_l.c	(working copy)
@@ -233,7 +233,7 @@
 
 	  /* If we don't have enough room for the demanded width we
 	     can stop now and return an error.  */
-	  if (dest + width >= s + maxsize)
+	  if (width < 0 || dest + width >= s + maxsize)
 	    {
 	      __set_errno (E2BIG);
 	      return -1;
@@ -255,6 +255,11 @@
 	      left_prec *= 10;
 	      left_prec += to_digit (*fmt);
 	    }
+	  if (left_prec < 0 || dest + left_prec >= s + maxsize)
+	    {
+	      __set_errno (E2BIG);
+	      return -1;
+	    }
 	}
 
       /* Recognize right precision.  */
@@ -272,6 +277,11 @@
 	      right_prec *= 10;
 	      right_prec += to_digit (*fmt);
 	    }
+	  if (right_prec < 0 || dest + left_prec + right_prec >= s + maxsize )
+	    {
+	      __set_errno (E2BIG);
+	      return -1;
+	    }
 	}
 
       /* Handle modifier.  This is an extension.  */