--- /dev/null
+From e3e9a51815d6582206eef9b3f5ce408507c81e2c Mon Sep 17 00:00:00 2001
+From: Rocket Ma <marocketbd@gmail.com>
+Date: Wed, 20 May 2026 07:01:58 -0700
+Subject: [PATCH] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]
+
+* stdio-common/vfscanf-internal.c: When enlarging allocated buffer with
+format %mc or %mC, glibc allocates one byte less, leading to
+user-controlled one byte overflow. This commit fixes BZ #34008, or
+CVE-2026-5450.
+
+Upstream-Status: Backport [http://sourceware.org/git/gitweb.cgi?p=glibc.git;h=839898777226a3ed88c0859f25ffe712519b4ead]
+CVE: CVE-2026-5450
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+Signed-off-by: Rocket Ma <marocketbd@gmail.com>
+Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
+Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
+---
+ stdio-common/Makefile | 4 +++
+ stdio-common/tst-vfscanf-bz34008.c | 48 ++++++++++++++++++++++++++++++
+ stdio-common/vfscanf-internal.c | 7 ++---
+ 3 files changed, 55 insertions(+), 4 deletions(-)
+ create mode 100644 stdio-common/tst-vfscanf-bz34008.c
+
+diff --git a/stdio-common/Makefile b/stdio-common/Makefile
+index 21094483..0c0085e6 100644
+--- a/stdio-common/Makefile
++++ b/stdio-common/Makefile
+@@ -349,6 +349,7 @@ tests := \
+ tst-vfprintf-user-type \
+ tst-vfprintf-width-i18n \
+ tst-vfprintf-width-prec-alloc \
++ tst-vfscanf-bz34008 \
+ tst-wc-printf \
+ tstdiomisc \
+ tstgetln \
+@@ -564,6 +565,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \
+ tst-vfprintf-width-prec-ENV = \
+ MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
++tst-vfscanf-bz34008-ENV = \
++ MALLOC_CHECK_=3 \
++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+ tst-printf-bz25691-ENV = \
+ MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+diff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c
+new file mode 100644
+index 00000000..48371c8a
+--- /dev/null
++++ b/stdio-common/tst-vfscanf-bz34008.c
+@@ -0,0 +1,48 @@
++/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008)
++ Copyright (C) 2026 The GNU Toolchain Authors.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <https://www.gnu.org/licenses/>. */
++
++#include "malloc/mcheck.h"
++#include <stddef.h>
++#include <stdio.h>
++#include <string.h>
++#include <wchar.h>
++#include <stdlib.h>
++#include <malloc.h>
++#include <support/check.h>
++
++#define WIDTH 0x410
++#define SCANFSTR "%1040mc"
++static int
++do_test (void)
++{
++ mcheck_pedantic (NULL);
++ char *input = malloc (WIDTH + 1);
++ TEST_VERIFY (input != NULL);
++ memset (input, 'A', WIDTH);
++ input[WIDTH] = '\0';
++
++ char *buf = NULL;
++ TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1);
++ TEST_VERIFY (buf != NULL);
++
++ free (buf);
++ free (input);
++ return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c
+index 63b9246e..8687150d 100644
+--- a/stdio-common/vfscanf-internal.c
++++ b/stdio-common/vfscanf-internal.c
+@@ -862,8 +862,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
+ {
+ /* Enlarge the buffer. */
+ size_t newsize
+- = strsize
+- + (strsize >= width ? width - 1 : strsize);
++ = strsize + (strsize >= width ? width : strsize);
+
+ str = (char *) realloc (*strptr, newsize);
+ if (str == NULL)
+@@ -936,7 +935,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
+ && wstr == (wchar_t *) *strptr + strsize)
+ {
+ size_t newsize
+- = strsize + (strsize > width ? width - 1 : strsize);
++ = strsize + (strsize >= width ? width : strsize);
+ /* Enlarge the buffer. */
+ wstr = (wchar_t *) realloc (*strptr,
+ newsize * sizeof (wchar_t));
+@@ -991,7 +990,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
+ && wstr == (wchar_t *) *strptr + strsize)
+ {
+ size_t newsize
+- = strsize + (strsize > width ? width - 1 : strsize);
++ = strsize + (strsize >= width ? width : strsize);
+ /* Enlarge the buffer. */
+ wstr = (wchar_t *) realloc (*strptr,
+ newsize * sizeof (wchar_t));
+--
+2.49.0
+
projects / thirdparty / openembedded / openembedded-core.git / commitdiff
