> Here, we enter the loop with `i = formatlen'. After the dot (`.') is matched,
> `i' is increased by one and effectively "overflows".
This should actually be:
Here, after the dot (`.') is matched, the same thing as in the previous case
happens.
`i' is matched three times instead of the expected
If a trailing `%' character occurs, we read past the end of the format
string and thus introduce UB. Reproducible by executing the following:
./printf %
This happens because the format string here actually consists of two
characters, `%' _and_ the trailing nul-byte. The flag parsing loop
matches
