This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH][BZ #16055] Do not let scanf("%4p") accept "(nil)"
- From: OndÅej BÃlka <neleai at seznam dot cz>
- To: Andreas Schwab <schwab at suse dot de>
- Cc: libc-alpha at sourceware dot org
- Date: Sun, 17 Nov 2013 10:55:17 +0100
- Subject: [PATCH][BZ #16055] Do not let scanf("%4p") accept "(nil)"
- Authentication-results: sourceware.org; auth=none
Hi,
This bug was found by cppcheck that complained on
(width < 0 || width >= 0) being always true.
Andreas commented this
"I think the intention was (width < 0 || width >= 5)"
as condition below is used to read (nil) pointer.
OK to commit?
[BZ #16055]
* stdio-common/vfscanf.c (_IO_vfscanf_internal): Limit width
when we match (nil).
* stdio-common/tst-sscanf.c (struct test): Add testcase.
diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
index 3c34f58..f66c076 100644
--- a/stdio-common/tst-sscanf.c
+++ b/stdio-common/tst-sscanf.c
@@ -92,6 +92,8 @@ struct test
{ L("foo bar"), L("foo bar"), 0 },
{ L("foo bar"), L("foo %d"), 0 },
{ L("foo bar"), L("foon%d"), 0 },
+ { L("foo (nil)"), L("foo %p"), 1},
+ { L("foo (nil)"), L("foo %4p"), 0},
{ L("foo "), L("foo %n"), 0 },
{ L("foo%bar1"), L("foo%%bar%d"), 1 },
/* Some OSes skip whitespace here while others don't. */
diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index e6fa8f3..4f26fb1 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -1757,7 +1757,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
we must recognize "(nil)" as well. */
if (__builtin_expect (wpsize == 0
&& (flags & READ_POINTER)
- && (width < 0 || width >= 0)
+ && (width < 0 || width >= 5)
&& c == '('
&& TOLOWER (inchar ()) == L_('n')
&& TOLOWER (inchar ()) == L_('i')