diff options
| author | Andreas Schwab <schwab@suse.de> | 2013-01-14 17:32:20 +0100 |
|---|---|---|
| committer | Andreas Schwab <schwab@suse.de> | 2013-04-11 10:24:37 +0200 |
| commit | 6ecec3b616aeaf121c68c1053cd17fdcf0cdb5a2 (patch) | |
| tree | f6e388cdb8eff711e7f0af5af0cf77cff1404b70 | |
| parent | 273cdee86d86e107c0eecef5614f57e37567b54e (diff) | |
| download | glibc-6ecec3b616aeaf121c68c1053cd17fdcf0cdb5a2.tar.gz glibc-6ecec3b616aeaf121c68c1053cd17fdcf0cdb5a2.tar.xz glibc-6ecec3b616aeaf121c68c1053cd17fdcf0cdb5a2.zip | |
Don't accept exp char without preceding digits in scanf float parsing
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | NEWS | 12 | ||||
| -rw-r--r-- | stdio-common/Makefile | 2 | ||||
| -rw-r--r-- | stdio-common/bug26.c | 37 | ||||
| -rw-r--r-- | stdio-common/vfscanf.c | 16 |
5 files changed, 61 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog index 6313627eb6..c64d69006c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ 2013-04-11 Andreas Schwab <schwab@suse.de> + [BZ #13988] + * stdio-common/vfscanf.c (_IO_vfwscanf): When parsing a float + accept exponent character only when digits were seen. + * stdio-common/Makefile (tests): Add bug26. + * stdio-common/bug26.c: New file. + [BZ #14293] * elf/dl-load.c (_dl_init_paths): Mark decomposed RUNPATH as non-freeable. diff --git a/NEWS b/NEWS index 639b1f027f..66efb82dfd 100644 --- a/NEWS +++ b/NEWS @@ -9,12 +9,12 @@ Version 2.18 * The following bugs are resolved with this release: - 10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 14142, - 14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812, 14920, - 14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, 15023, - 15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, 15283, - 15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, 15336, - 15337, 15342, 15346. + 10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 13988, + 14142, 14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812, + 14920, 14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, + 15023, 15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, + 15283, 15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, + 15336, 15337, 15342, 15346. * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla #15078). diff --git a/stdio-common/Makefile b/stdio-common/Makefile index f64a8ba2d9..658804bbe8 100644 --- a/stdio-common/Makefile +++ b/stdio-common/Makefile @@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \ scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \ bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \ - bug25 tst-printf-round + bug25 tst-printf-round bug26 test-srcs = tst-unbputc tst-printf diff --git a/stdio-common/bug26.c b/stdio-common/bug26.c new file mode 100644 index 0000000000..a4c6bce939 --- /dev/null +++ b/stdio-common/bug26.c @@ -0,0 +1,37 @@ +/* Copyright (C) 2013 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <stdio.h> +#include <string.h> + +int +main (void) +{ + FILE *f; + int lost = 0; + int c; + double d; + char s[] = "+.e"; + + f = fmemopen (s, strlen (s), "r"); + /* This should fail to parse a float and leave 'e' in the input. */ + lost |= (fscanf (f, "%f", &d) != 0); + c = fgetc (f); + lost |= c != 'e'; + puts (lost ? "Test FAILED!" : "Test succeeded."); + return lost; +} diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c index 9b5c4a9c88..82f7eee192 100644 --- a/stdio-common/vfscanf.c +++ b/stdio-common/vfscanf.c @@ -222,7 +222,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, /* Errno of last failed inchar call. */ int inchar_errno = 0; /* Status for reading F-P nums. */ - char got_dot, got_e, negative; + char got_digit, got_dot, got_e, negative; /* If a [...] is a [^...]. */ CHAR_T not_in; #define exp_char not_in @@ -1845,7 +1845,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, if (__builtin_expect (c == EOF, 0)) input_error (); - got_dot = got_e = 0; + got_digit = got_dot = got_e = 0; /* Check for a sign. */ if (c == L_('-') || c == L_('+')) @@ -1971,13 +1971,19 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, while (1) { if (ISDIGIT (c)) - ADDW (c); + { + ADDW (c); + got_digit = 1; + } else if (!got_e && (flags & HEXA_FLOAT) && ISXDIGIT (c)) - ADDW (c); + { + ADDW (c); + got_digit = 1; + } else if (got_e && wp[wpsize - 1] == exp_char && (c == L_('-') || c == L_('+'))) ADDW (c); - else if (wpsize > 0 && !got_e + else if (got_digit && !got_e && (CHAR_T) TOLOWER (c) == exp_char) { ADDW (exp_char); |