diff options
author | Ondřej Bílka <neleai@seznam.cz> | 2013-11-18 12:41:00 +0100 |
---|---|---|
committer | Ondřej Bílka <neleai@seznam.cz> | 2013-11-18 12:42:23 +0100 |
commit | 728dab0e13529ba8778e6ef07e2cc80eddf028b5 (patch) | |
tree | 390911e7cb25cd8ed168393f1e4d194596fa44c6 | |
parent | dd8082389e5448c3e716de8431817b30565a48d3 (diff) | |
download | glibc-728dab0e13529ba8778e6ef07e2cc80eddf028b5.tar glibc-728dab0e13529ba8778e6ef07e2cc80eddf028b5.tar.gz glibc-728dab0e13529ba8778e6ef07e2cc80eddf028b5.tar.bz2 glibc-728dab0e13529ba8778e6ef07e2cc80eddf028b5.zip |
Do not let scanf("%4p") accept "(nil)". Fixes bug 16055
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | stdio-common/tst-sscanf.c | 2 | ||||
-rw-r--r-- | stdio-common/vfscanf.c | 2 |
4 files changed, 12 insertions, 3 deletions
@@ -1,3 +1,10 @@ +2013-11-07 Ondřej Bílka <neleai@seznam.cz> + + [BZ #16055] + * stdio-common/vfscanf.c (_IO_vfscanf_internal): Limit width + when we match (nil). + * stdio-common/tst-sscanf.c (struct test): Add testcase. + 2013-11-16 Joseph Myers <joseph@codesourcery.com> * math/libm-test.inc (TEST_NAN_SIGN): New macro. @@ -17,8 +17,8 @@ Version 2.19 15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, 16032, - 16034, 16036, 16037, 16041, 16071, 16072, 16074, 16078, 16103, 16112, - 16143, 16146, 16150, 16151, 16153, 16167, 16172. + 16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, 16103, + 16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172. * CVE-2012-4412 The strcoll implementation caches indices and rules for large collation sequences to optimize multiple passes. This cache diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c index 3c34f58a63..a77bc7e30b 100644 --- a/stdio-common/tst-sscanf.c +++ b/stdio-common/tst-sscanf.c @@ -92,6 +92,8 @@ struct test { L("foo bar"), L("foo bar"), 0 }, { L("foo bar"), L("foo %d"), 0 }, { L("foo bar"), L("foon%d"), 0 }, + { L("foo (nil)"), L("foo %p"), 1}, + { L("foo (nil)"), L("foo %4p"), 0}, { L("foo "), L("foo %n"), 0 }, { L("foo%bar1"), L("foo%%bar%d"), 1 }, /* Some OSes skip whitespace here while others don't. */ diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c index e6fa8f372b..c0b93ae3b7 100644 --- a/stdio-common/vfscanf.c +++ b/stdio-common/vfscanf.c @@ -1757,7 +1757,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, we must recognize "(nil)" as well. */ if (__builtin_expect (wpsize == 0 && (flags & READ_POINTER) - && (width < 0 || width >= 0) + && (width < 0 || width >= 5) && c == '(' && TOLOWER (inchar ()) == L_('n') && TOLOWER (inchar ()) == L_('i') |