Integer overflow on format specificator in strfmon(). NULL pointer dereference in printf().
vulners.com/securityvulns/securityvulns:doc:19527
vulners.com/securityvulns/securityvulns:doc:19528
vulners.com/securityvulns/securityvulns:doc:22482