Do not let scanf("%4p") accept "(nil)". Fixes bug 16055

diff --git a/ChangeLog b/ChangeLog
index 7e543afda8d539e242af963bd48da45aa3e4b7d5..8ecba52813400fc76f5fd4c81979b7049df80259 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-11-07  Ondřej Bílka  <neleai@seznam.cz>
+
+       [BZ #16055]
+       * stdio-common/vfscanf.c (_IO_vfscanf_internal): Limit width
+       when we match (nil).
+       * stdio-common/tst-sscanf.c (struct test): Add testcase.
+
 2013-11-16  Joseph Myers  <joseph@codesourcery.com>
 
        * math/libm-test.inc (TEST_NAN_SIGN): New macro.

diff --git a/NEWS b/NEWS
index f803fa6c655eefb29af040d03a4b356f4da5db4a..fc1b63c4b1f1358c6675eb643d863f2b11c284a2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,8 +17,8 @@ Version 2.19
   15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, 15886,
   15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, 15919,
   15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, 16032,
-  16034, 16036, 16037, 16041, 16071, 16072, 16074, 16078, 16103, 16112,
-  16143, 16146, 16150, 16151, 16153, 16167, 16172.
+  16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, 16103,
+  16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172.
 
 * CVE-2012-4412 The strcoll implementation caches indices and rules for
   large collation sequences to optimize multiple passes.  This cache

diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
index 3c34f58a635d5418830b2c49ecc1230360a9bed4..a77bc7e30bd03e93359e7cbe5ae40ea10d4806fd 100644 (file)
--- a/stdio-common/tst-sscanf.c
+++ b/stdio-common/tst-sscanf.c
@@ -92,6 +92,8 @@ struct test
   { L("foo bar"), L("foo bar"), 0 },
   { L("foo bar"), L("foo %d"), 0 },
   { L("foo bar"), L("foon%d"), 0 },
+  { L("foo (nil)"), L("foo %p"), 1},
+  { L("foo (nil)"), L("foo %4p"), 0},
   { L("foo "), L("foo %n"), 0 },
   { L("foo%bar1"), L("foo%%bar%d"), 1 },
   /* Some OSes skip whitespace here while others don't.  */

diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index e6fa8f372bef327a7e582f03d7e64b142120cc04..c0b93ae3b7464fbedda062d5291e4251a0561cfc 100644 (file)
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -1757,7 +1757,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
                 we must recognize "(nil)" as well.  */
              if (__builtin_expect (wpsize == 0
                                    && (flags & READ_POINTER)
-                                   && (width < 0 || width >= 0)
+                                   && (width < 0 || width >= 5)
                                    && c == '('
                                    && TOLOWER (inchar ()) == L_('n')
                                    && TOLOWER (inchar ()) == L_('i')