This is the mail archive of the newlib@sourceware.org mailing list for the newlib project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Buffer overrun in vfwscanf

From: Corinna Vinschen <vinschen at redhat dot com>
To: newlib at sourceware dot org
Date: Sat, 26 Mar 2016 12:44:34 +0100
Subject: Re: Buffer overrun in vfwscanf
Authentication-results: sourceware.org; auth=none
References: <CAOrNasyhUCAGU9zxUTFcLbSo34w8OsBFXM5mXOiCsa8DkNF1tw at mail dot gmail dot com>
Reply-to: newlib at sourceware dot org

On Mar 25 14:29, Douglas Katzman wrote:
> Hi,
> 
> There's an access before the beginning of an array at line 351 of
> vfwscanf.c if the machine's wchar_t type is 4 bytes.  gcc seems not to
> care about this, but clang finds it.
> 
> sizeof (fp->_ubuf) = 3, and it computes &fp->_ubuf[3 - 4] and then
> assigns through that pointer, stomping on 1 byte of the preceding _ur
> field.
> In general it looks like wide char support only works for 2 byte chars.
> 
> Also, entirely separate issue:
> The last 2 parameters in the "Traditional C" argument list for
> _sungetc_r and _sungetwc_r and reversed and wrongly named.
> _sungetc_r has (data, fp, ch) but should be (data, c, fp)
> _sungetwc_r has (data, fp, ch) but should be (data, wc, fp)
> 
> Doug

Please feel free to send patches against the git repo.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat

Attachment: signature.asc
Description: PGP signature

References:
- Buffer overrun in vfwscanf
  - From: Douglas Katzman

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]