diff options
| author | Florian Weimer <fweimer@redhat.com> | 2016-09-02 15:59:34 +0200 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2016-09-02 15:59:34 +0200 |
| commit | 9dd87afbf1a2f7991a733609bbda6f26cadaa6ce (patch) | |
| tree | 92f2635fe04cf52d11e3eaf91dab849c7ef1bdba /ChangeLog | |
| parent | 326e288b1e43832c138e5eb4521157d8aacef5b7 (diff) | |
| download | glibc-9dd87afbf1a2f7991a733609bbda6f26cadaa6ce.tar glibc-9dd87afbf1a2f7991a733609bbda6f26cadaa6ce.tar.gz glibc-9dd87afbf1a2f7991a733609bbda6f26cadaa6ce.tar.bz2 glibc-9dd87afbf1a2f7991a733609bbda6f26cadaa6ce.zip | |
vfscanf: Avoid multiple reads of multi-byte character width
This avoids a race condition if the process-global locale is changed
while vfscanf is running. MB_LEN_MAX is always larger than MB_CUR_MAX,
so we might realloc earlier than necessary (but even MB_CUR_MAX could
be larger than the minimum required space).
The existing length was a bit questionable because str + MB_LEN_MAX
might point past the end of the buffer.
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -1,5 +1,11 @@ 2016-09-02 Florian Weimer <fweimer@redhat.com> + * stdio-common/vfscanf.c (_IO_vfwscanf): Use MB_LEN_MAX instead of + MB_CUR_MAX to avoid race condition. Avoid pointer arithmetic + outside of allocated array. + +2016-09-02 Florian Weimer <fweimer@redhat.com> + * stdio-common/vfprintf.c (process_string_arg): Use MB_LEN_MAX instead of MB_CUR_MAX to avoid variable-length array. |