diff options
| author | Ondřej Bílka <neleai@seznam.cz> | 2013-11-18 12:41:00 +0100 |
|---|---|---|
| committer | Ondřej Bílka <neleai@seznam.cz> | 2013-11-18 12:42:23 +0100 |
| commit | 728dab0e13529ba8778e6ef07e2cc80eddf028b5 (patch) | |
| tree | 390911e7cb25cd8ed168393f1e4d194596fa44c6 | |
| parent | dd8082389e5448c3e716de8431817b30565a48d3 (diff) | |
| download | glibc-728dab0e13529ba8778e6ef07e2cc80eddf028b5.tar.gz glibc-728dab0e13529ba8778e6ef07e2cc80eddf028b5.tar.xz glibc-728dab0e13529ba8778e6ef07e2cc80eddf028b5.zip | |
Do not let scanf("%4p") accept "(nil)". Fixes bug 16055
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | stdio-common/tst-sscanf.c | 2 | ||||
| -rw-r--r-- | stdio-common/vfscanf.c | 2 |
4 files changed, 12 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog index 7e543afda8..8ecba52813 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2013-11-07 Ondřej Bílka <neleai@seznam.cz> + + [BZ #16055] + * stdio-common/vfscanf.c (_IO_vfscanf_internal): Limit width + when we match (nil). + * stdio-common/tst-sscanf.c (struct test): Add testcase. + 2013-11-16 Joseph Myers <joseph@codesourcery.com> * math/libm-test.inc (TEST_NAN_SIGN): New macro. diff --git a/NEWS b/NEWS index f803fa6c65..fc1b63c4b1 100644 --- a/NEWS +++ b/NEWS @@ -17,8 +17,8 @@ Version 2.19 15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, 16032, - 16034, 16036, 16037, 16041, 16071, 16072, 16074, 16078, 16103, 16112, - 16143, 16146, 16150, 16151, 16153, 16167, 16172. + 16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, 16103, + 16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172. * CVE-2012-4412 The strcoll implementation caches indices and rules for large collation sequences to optimize multiple passes. This cache diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c index 3c34f58a63..a77bc7e30b 100644 --- a/stdio-common/tst-sscanf.c +++ b/stdio-common/tst-sscanf.c @@ -92,6 +92,8 @@ struct test { L("foo bar"), L("foo bar"), 0 }, { L("foo bar"), L("foo %d"), 0 }, { L("foo bar"), L("foon%d"), 0 }, + { L("foo (nil)"), L("foo %p"), 1}, + { L("foo (nil)"), L("foo %4p"), 0}, { L("foo "), L("foo %n"), 0 }, { L("foo%bar1"), L("foo%%bar%d"), 1 }, /* Some OSes skip whitespace here while others don't. */ diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c index e6fa8f372b..c0b93ae3b7 100644 --- a/stdio-common/vfscanf.c +++ b/stdio-common/vfscanf.c @@ -1757,7 +1757,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, we must recognize "(nil)" as well. */ if (__builtin_expect (wpsize == 0 && (flags & READ_POINTER) - && (width < 0 || width >= 0) + && (width < 0 || width >= 5) && c == '(' && TOLOWER (inchar ()) == L_('n') && TOLOWER (inchar ()) == L_('i') |