From 728dab0e13529ba8778e6ef07e2cc80eddf028b5 Mon Sep 17 00:00:00 2001
From: Ondřej Bílka <neleai@seznam.cz>
Date: Mon, 18 Nov 2013 12:41:00 +0100
Subject: Do not let scanf("%4p") accept "(nil)". Fixes bug 16055

---
 stdio-common/tst-sscanf.c | 2 ++
 stdio-common/vfscanf.c    | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

(limited to 'stdio-common')

diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
index 3c34f58a63..a77bc7e30b 100644
--- a/stdio-common/tst-sscanf.c
+++ b/stdio-common/tst-sscanf.c
@@ -92,6 +92,8 @@ struct test
   { L("foo bar"), L("foo bar"), 0 },
   { L("foo bar"), L("foo %d"), 0 },
   { L("foo bar"), L("foon%d"), 0 },
+  { L("foo (nil)"), L("foo %p"), 1},
+  { L("foo (nil)"), L("foo %4p"), 0},
   { L("foo "), L("foo %n"), 0 },
   { L("foo%bar1"), L("foo%%bar%d"), 1 },
   /* Some OSes skip whitespace here while others don't.  */
diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index e6fa8f372b..c0b93ae3b7 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -1757,7 +1757,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 		 we must recognize "(nil)" as well.  */
 	      if (__builtin_expect (wpsize == 0
 				    && (flags & READ_POINTER)
-				    && (width < 0 || width >= 0)
+				    && (width < 0 || width >= 5)
 				    && c == '('
 				    && TOLOWER (inchar ()) == L_('n')
 				    && TOLOWER (inchar ()) == L_('i')
-- 
cgit 1.4.1