diff options
| author | Rich Felker <dalias@aerifal.cx> | 2020-04-17 15:31:16 -0400 |
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2020-04-17 15:55:17 -0400 |
| commit | 086542fb5bc88f590547147365630b9a44df223b (patch) | |
| tree | 49c4e2cab63a4a866ab28dbb832cbc5427ee98ef /src/internal | |
| parent | b287cd745c2243f8e5114331763a5a9813b5f6ee (diff) | |
| download | musl-086542fb5bc88f590547147365630b9a44df223b.tar.gz musl-086542fb5bc88f590547147365630b9a44df223b.tar.xz musl-086542fb5bc88f590547147365630b9a44df223b.zip | |
fix possible access to uninitialized memory in shgetc (via scanf)
shgetc sets up to be able to perform an "unget" operation without the
caller having to remember and pass back the character value, and for
this purpose used a conditional store idiom:
if (f->rpos[-1] != c) f->rpos[-1] = c
to make it safe to use with non-writable buffers (setup by the
sh_fromstring macro or __string_read with sscanf).
however, validity of this depends on the buffer space at rpos[-1]
being initialized, which is not the case under some conditions
(including at least unbuffered files and fmemopen ones).
whenever data was read "through the buffer", the desired character
value is already in place and does not need to be written. thus,
rather than testing for the absence of the value, we can test for
rpos<=buf, indicating that the last character read could not have come
from the buffer, and thereby that we have a "real" buffer (possibly of
zero length) with writable pushback (UNGET bytes) below it.
Diffstat (limited to 'src/internal')
| -rw-r--r-- | src/internal/shgetc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/internal/shgetc.c b/src/internal/shgetc.c index a4a9c633..7455d2f0 100644 --- a/src/internal/shgetc.c +++ b/src/internal/shgetc.c @@ -32,6 +32,6 @@ int __shgetc(FILE *f) else f->shend = f->rend; f->shcnt = f->buf - f->rpos + cnt; - if (f->rpos[-1] != c) f->rpos[-1] = c; + if (f->rpos <= f->buf) f->rpos[-1] = c; return c; } |