From dd742f8116b2f88bd3d505f76a0e07a651a176f3 Mon Sep 17 00:00:00 2001
From: Thanh-Phuong <python0429@gmail.com>
Date: Mon, 26 Jun 2017 22:18:25 -0500
Subject: [PATCH 1/3] Prevent arguments leaking

---
 src/sprintf.js | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/sprintf.js b/src/sprintf.js
index ccb78d8..d495523 100644
--- a/src/sprintf.js
+++ b/src/sprintf.js
@@ -22,16 +22,19 @@
     }
 
     function sprintf(key) {
-        // `arguments` is not an array, but should be fine for this call
-        return sprintf_format(sprintf_parse(key), arguments)
+        var leakGuard = new Array(arguments.length-1);
+        for (var i=1; i<leakGuard.length; ++i) {
+            leakGuard[i] = arguments[i];
+        }
+        return sprintf_format(sprintf_parse(key), leakGuard);
     }
 
     function vsprintf(fmt, argv) {
-        return sprintf.apply(null, [fmt].concat(argv || []))
+        return sprintf_format(sprintf_parse(fmt), argv || []);
     }
 
     function sprintf_format(parse_tree, argv) {
-        var cursor = 1, tree_length = parse_tree.length, arg, output = '', i, k, ph, pad, pad_character, pad_length, is_positive, sign
+        var cursor = 0, tree_length = parse_tree.length, arg, output = '', i, k, ph, pad, pad_character, pad_length, is_positive, sign
         for (i = 0; i < tree_length; i++) {
             if (typeof parse_tree[i] === 'string') {
                 output += parse_tree[i]
@@ -48,7 +51,7 @@
                     }
                 }
                 else if (ph.param_no) { // positional argument (explicit)
-                    arg = argv[ph.param_no]
+                    arg = argv[ph.param_no-1]
                 }
                 else { // positional argument (implicit)
                     arg = argv[cursor++]

From 1a624bad9d2315221206e05a9b843db9eb8b8d06 Mon Sep 17 00:00:00 2001
From: Thanh-Phuong <python0429@gmail.com>
Date: Mon, 26 Jun 2017 22:25:36 -0500
Subject: [PATCH 2/3] Shift arguments copy index

---
 src/sprintf.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/sprintf.js b/src/sprintf.js
index d495523..f889252 100644
--- a/src/sprintf.js
+++ b/src/sprintf.js
@@ -23,10 +23,10 @@
 
     function sprintf(key) {
         var leakGuard = new Array(arguments.length-1);
-        for (var i=1; i<leakGuard.length; ++i) {
-            leakGuard[i] = arguments[i];
+        for (var i=0; i<leakGuard.length; ++i) {
+            leakGuard[i] = arguments[i+1];
         }
-        return sprintf_format(sprintf_parse(key), leakGuard);
+        return vsprintf(key, leakGuard);
     }
 
     function vsprintf(fmt, argv) {

From ec4f68e7afe5c583b15f36549ccbaa8e84014d48 Mon Sep 17 00:00:00 2001
From: Thanh-Phuong <python0429@gmail.com>
Date: Tue, 27 Jun 2017 08:19:11 -0500
Subject: [PATCH 3/3] Remove semicolons at end of statement

---
 src/sprintf.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/sprintf.js b/src/sprintf.js
index f889252..7e0bfc7 100644
--- a/src/sprintf.js
+++ b/src/sprintf.js
@@ -22,15 +22,15 @@
     }
 
     function sprintf(key) {
-        var leakGuard = new Array(arguments.length-1);
+        var leakGuard = new Array(arguments.length-1)
         for (var i=0; i<leakGuard.length; ++i) {
-            leakGuard[i] = arguments[i+1];
+            leakGuard[i] = arguments[i+1]
         }
-        return vsprintf(key, leakGuard);
+        return vsprintf(key, leakGuard)
     }
 
     function vsprintf(fmt, argv) {
-        return sprintf_format(sprintf_parse(fmt), argv || []);
+        return sprintf_format(sprintf_parse(fmt), argv || [])
     }
 
     function sprintf_format(parse_tree, argv) {