From: Maciej W. Rozycki <macro@redhat.com>
Date: Sat, 23 Aug 2025 00:02:10 +0000 (+0100)
Subject: stdio-common: Fix bad NaN crash in scanf input specifier tests [BZ #32857]
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27aa1fb73585450cfda1a932e487656a6227329d;p=thirdparty%2Fglibc.git

stdio-common: Fix bad NaN crash in scanf input specifier tests [BZ #32857]

Fix a null pointer dereference causing a crash in 'read_real' when the
terminating null character is written for use with the subsequent call
to 'nan' for invalid NaN reference input, such as:

%a:nan:1:3:nanny:

by moving all the 'n-char-sequence' handling under the check for the
opening parenthesis.

No test case added as it's a test case issue in the first place.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
---

diff --git a/stdio-common/tst-scanf-format-real.h b/stdio-common/tst-scanf-format-real.h
index 9ed8dc00a1..93de3cadaf 100644
--- a/stdio-common/tst-scanf-format-real.h
+++ b/stdio-common/tst-scanf-format-real.h
@@ -201,41 +201,43 @@ out:									\
 	    goto out;							\
 	  }								\
 									\
-	size_t seq_size = 0;						\
-	char *seq = NULL;						\
-	i = 0;								\
 	if (ch == '(')							\
-	  while (1)							\
-	    {								\
-	      if (i == seq_size)					\
-		{							\
-		  seq_size += SIZE_CHUNK;				\
-		  seq = xrealloc (seq, seq_size);			\
-		}							\
-	      ch = read_input ();					\
-	      if (ch == ')')						\
-		break;							\
-	      if (ch != '_' && !isdigit (ch)				\
-		  && !(ch >= 'A' && ch <= 'Z')				\
-		  && !(ch >= 'a' && ch <= 'z'))				\
-		{							\
-		  free (seq);						\
-		  err = ch < 0 ? ch : INPUT_FORMAT;			\
-		  v = NAN;						\
-		  goto out;						\
-		}							\
-	      seq[i++] = ch;						\
-	    }								\
-	seq[i] = '\0';							\
-									\
-	ch = read_input ();						\
-	if (ch == ':')							\
 	  {								\
-	    v = m ? -nan (v, seq) : nan (v, seq);			\
+	    size_t seq_size = 0;					\
+	    char *seq = NULL;						\
+	    i = 0;							\
+	    while (1)							\
+	      {								\
+		if (i == seq_size)					\
+		  {							\
+		    seq_size += SIZE_CHUNK;				\
+		    seq = xrealloc (seq, seq_size);			\
+		  }							\
+		ch = read_input ();					\
+		if (ch == ')')						\
+		  break;						\
+		if (ch != '_' && !isdigit (ch)				\
+		    && !(ch >= 'A' && ch <= 'Z')			\
+		    && !(ch >= 'a' && ch <= 'z'))			\
+		  {							\
+		    free (seq);						\
+		    err = ch < 0 ? ch : INPUT_FORMAT;			\
+		    v = NAN;						\
+		    goto out;						\
+		  }							\
+		seq[i++] = ch;						\
+	      }								\
+	    seq[i] = '\0';						\
+									\
+	    ch = read_input ();						\
+	    if (ch == ':')						\
+	      {								\
+		v = m ? -nan (v, seq) : nan (v, seq);			\
+		free (seq);						\
+		goto out;						\
+	      }								\
 	    free (seq);							\
-	    goto out;							\
 	  }								\
-	free (seq);							\
       }									\
       err = ch < 0 ? ch : INPUT_FORMAT;					\
       v = NAN;								\