From: Maciej W. Rozycki <macro@redhat.com>
Date: Sat, 23 Aug 2025 00:02:10 +0000 (+0100)
Subject: stdio-common: Fix a crash in scanf input specifier tests [BZ #32857]
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=67d2c9e3b71314c667feca730f9eefc47bcb8681;p=thirdparty%2Fglibc.git

stdio-common: Fix a crash in scanf input specifier tests [BZ #32857]

Fix a null pointer dereference causing a crash in 'read_real' when the
terminating null character is written for use with the subsequent call
to 'nan' for NaN reference input using null 'n-char-sequence', such as:

%a:nan():1:5:nan():

by moving the memory allocation call ahead of the check for the closing
parenthesis.

No test case added as it's a test case issue in the first place.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
---

diff --git a/stdio-common/tst-scanf-format-real.h b/stdio-common/tst-scanf-format-real.h
index fc7f39e760..9ed8dc00a1 100644
--- a/stdio-common/tst-scanf-format-real.h
+++ b/stdio-common/tst-scanf-format-real.h
@@ -207,6 +207,11 @@ out:									\
 	if (ch == '(')							\
 	  while (1)							\
 	    {								\
+	      if (i == seq_size)					\
+		{							\
+		  seq_size += SIZE_CHUNK;				\
+		  seq = xrealloc (seq, seq_size);			\
+		}							\
 	      ch = read_input ();					\
 	      if (ch == ')')						\
 		break;							\
@@ -219,11 +224,6 @@ out:									\
 		  v = NAN;						\
 		  goto out;						\
 		}							\
-	      if (i == seq_size)					\
-		{							\
-		  seq_size += SIZE_CHUNK;				\
-		  seq = xrealloc (seq, seq_size);			\
-		}							\
 	      seq[i++] = ch;						\
 	    }								\
 	seq[i] = '\0';							\