...
Section 7.21.6.1, para. 8, of the C standard [ISO/IEC 9899:2011], states:
A double argument representing a floating-point number is converted in the style
[-]0xh.hhhh p±d, where there is one hexadecimal digit (which is nonzero if the argument is a normalized floating-point number and is otherwise unspecified) before the decimal-point character.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
The CERT Oracle Secure Coding Standard for Java: NUM05-J. Do not use denormalized numbers
Bibliography
[IEEE 754]
[Bryant 2003] Section 2.4 "Floating point"
...