Fix vfwscanf(3) assignment suppression flag handling bug

Message ID e9aca8f1-f199-8378-83dd-7de0ae079e29@lucioillanes.de
State Accepted
Commit d5daede26c651f4e9d6c7abbd2dd2937a1e24e2d
Headers show
Series
  • Fix vfwscanf(3) assignment suppression flag handling bug
Related show

Commit Message

Lucio Andrés Illanes Albornoz June 1, 2019, 8:33 a.m.
newlib's vfwscanf(3) (or specifically, __SVFWSCANF_R()) fails to correctly set
the assignment-suppressing character (`*') flag[1] which, when present in the
formatting string, results in undefined behaviour comprising retrieving and
dereferencing a pointer that was not supplied by the caller as such or at all.
When compared to the vfscanf(3) implementation, this would appear to be over
the missing goto match_failure statement preceded by the flags test seen below.
Hence, this patch (re)introduces it.

[1] <http://pubs.opengroup.org/onlinepubs/009695399/functions/fwscanf.html>

--

Comments

Corinna Vinschen June 3, 2019, 8:41 a.m. | #1
On Jun  1 10:33, Lucio Andrés Illanes Albornoz wrote:
> newlib's vfwscanf(3) (or specifically, __SVFWSCANF_R()) fails to correctly set

> the assignment-suppressing character (`*') flag[1] which, when present in the

> formatting string, results in undefined behaviour comprising retrieving and

> dereferencing a pointer that was not supplied by the caller as such or at all.

> When compared to the vfscanf(3) implementation, this would appear to be over

> the missing goto match_failure statement preceded by the flags test seen below.

> Hence, this patch (re)introduces it.

> 

> [1] <http://pubs.opengroup.org/onlinepubs/009695399/functions/fwscanf.html>


Pushed.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat

Patch

diff --git a/newlib/libc/stdio/vfwscanf.c b/newlib/libc/stdio/vfwscanf.c
index 0464b0837..ffb6cc85b 100644
--- a/newlib/libc/stdio/vfwscanf.c
+++ b/newlib/libc/stdio/vfwscanf.c
@@ -602,6 +602,7 @@  __SVFWSCANF_R (struct _reent *rptr,
 	case L'*':
 	  if ((flags & (CHAR | SHORT | LONG | LONGDBL | SUPPRESS | MALLOC))
 	      || width)
+	    goto match_failure;
 	  flags |= SUPPRESS;
 	  goto again;
 	case L'l':