stdio-common: Fix bad NaN crash in scanf input specifier tests [BZ #32857]

Fix a null pointer dereference causing a crash in 'read_real' when the
terminating null character is written for use with the subsequent call
to 'nan' for invalid NaN reference input, such as:

%a:nan:1:3:nanny:

by moving all the 'n-char-sequence' handling under the check for the
opening parenthesis.

No test case added as it's a test case issue in the first place.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>

diff --git a/stdio-common/tst-scanf-format-real.h b/stdio-common/tst-scanf-format-real.h
index 9ed8dc00a19a7ed9f244b5171272fe44dad5b687..93de3cadafa593454eb5880efb2eb9f5d7eed824 100644 (file)
--- a/stdio-common/tst-scanf-format-real.h
+++ b/stdio-common/tst-scanf-format-real.h
@@ -201,41 +201,43 @@ out:                                                                      \
            goto out;                                                   \
          }                                                             \
                                                                        \
-       size_t seq_size = 0;                                            \
-       char *seq = NULL;                                               \
-       i = 0;                                                          \
        if (ch == '(')                                                  \
-         while (1)                                                     \
-           {                                                           \
-             if (i == seq_size)                                        \
-               {                                                       \
-                 seq_size += SIZE_CHUNK;                               \
-                 seq = xrealloc (seq, seq_size);                       \
-               }                                                       \
-             ch = read_input ();                                       \
-             if (ch == ')')                                            \
-               break;                                                  \
-             if (ch != '_' && !isdigit (ch)                            \
-                 && !(ch >= 'A' && ch <= 'Z')                          \
-                 && !(ch >= 'a' && ch <= 'z'))                         \
-               {                                                       \
-                 free (seq);                                           \
-                 err = ch < 0 ? ch : INPUT_FORMAT;                     \
-                 v = NAN;                                              \
-                 goto out;                                             \
-               }                                                       \
-             seq[i++] = ch;                                            \
-           }                                                           \
-       seq[i] = '\0';                                                  \
-                                                                       \
-       ch = read_input ();                                             \
-       if (ch == ':')                                                  \
          {                                                             \
-           v = m ? -nan (v, seq) : nan (v, seq);                       \
+           size_t seq_size = 0;                                        \
+           char *seq = NULL;                                           \
+           i = 0;                                                      \
+           while (1)                                                   \
+             {                                                         \
+               if (i == seq_size)                                      \
+                 {                                                     \
+                   seq_size += SIZE_CHUNK;                             \
+                   seq = xrealloc (seq, seq_size);                     \
+                 }                                                     \
+               ch = read_input ();                                     \
+               if (ch == ')')                                          \
+                 break;                                                \
+               if (ch != '_' && !isdigit (ch)                          \
+                   && !(ch >= 'A' && ch <= 'Z')                        \
+                   && !(ch >= 'a' && ch <= 'z'))                       \
+                 {                                                     \
+                   free (seq);                                         \
+                   err = ch < 0 ? ch : INPUT_FORMAT;                   \
+                   v = NAN;                                            \
+                   goto out;                                           \
+                 }                                                     \
+               seq[i++] = ch;                                          \
+             }                                                         \
+           seq[i] = '\0';                                              \
+                                                                       \
+           ch = read_input ();                                         \
+           if (ch == ':')                                              \
+             {                                                         \
+               v = m ? -nan (v, seq) : nan (v, seq);                   \
+               free (seq);                                             \
+               goto out;                                               \
+             }                                                         \
            free (seq);                                                 \
-           goto out;                                                   \
          }                                                             \
-       free (seq);                                                     \
       }                                                                        \
       err = ch < 0 ? ch : INPUT_FORMAT;                                        \
       v = NAN;                                                         \