commit 36b50ee589a4fda66d222af7de8ad866d30613c7
Author: Willy Tarreau <w@1wt.eu>
Date:   Fri Mar 29 19:13:23 2019 +0100

    MINOR: tools: make memvprintf() never pass a NULL target to vsnprintf()
    
    Most modern platforms don't touch the output buffer when the size
    argument is null, but there exist a few old ones (like AIX 5 and
    possibly Tru64) where the output will be dereferenced anyway, probably
    to write the trailing null, crashing the process. memprintf() uses this
    to measure the desired length.
    
    There is a very simple workaround to this consisting in passing a pointer
    to a character instead of a NULL pointer. It was confirmed to fix the issue
    on AIX 5.1.
    
    (cherry picked from commit e0609f5f49f55b122e7da9bd1d3b1b786366e80c)
    [wt: it likely makes sense to backport this to all supported branches]
    Signed-off-by: Willy Tarreau <w@1wt.eu>
    (cherry picked from commit 1719b6be375bf9478c2cfe78caccd818d37a4d50)
    Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/standard.c b/src/standard.c
index 38c4f3f2..69cddcea 100644
--- a/src/standard.c
+++ b/src/standard.c
@@ -3402,12 +3402,14 @@ char *memvprintf(char **out, const char *format, va_list orig_args)
 		return NULL;
 
 	do {
+		char buf1;
+
 		/* vsnprintf() will return the required length even when the
 		 * target buffer is NULL. We do this in a loop just in case
 		 * intermediate evaluations get wrong.
 		 */
 		va_copy(args, orig_args);
-		needed = vsnprintf(ret, allocated, format, args);
+		needed = vsnprintf(ret ? ret : &buf1, allocated, format, args);
 		va_end(args);
 		if (needed < allocated) {
 			/* Note: on Solaris 8, the first iteration always