diff options
| author | Lucio Andrés Illanes Albornoz <lucio@lucioillanes.de> | 2019-06-01 10:33:19 +0200 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2019-06-03 10:38:40 +0200 |
| commit | d5daede26c651f4e9d6c7abbd2dd2937a1e24e2d (patch) | |
| tree | 654884b2e4ce4f1897c52b5aa2b3bc5b338e163c | |
| parent | ee7e49e19388fd0f19ca1c4773d3efc5fa123d58 (diff) | |
| download | cygnal-d5daede26c651f4e9d6c7abbd2dd2937a1e24e2d.tar.gz cygnal-d5daede26c651f4e9d6c7abbd2dd2937a1e24e2d.tar.bz2 cygnal-d5daede26c651f4e9d6c7abbd2dd2937a1e24e2d.zip | |
Fix vfwscanf(3) assignment suppression flag handling bug
newlib's vfwscanf(3) (or specifically, __SVFWSCANF_R()) fails to correctly set
the assignment-suppressing character (`*') flag[1] which, when present in the
formatting string, results in undefined behaviour comprising retrieving and
dereferencing a pointer that was not supplied by the caller as such or at all.
When compared to the vfscanf(3) implementation, this would appear to be over
the missing goto match_failure statement preceded by the flags test seen below.
Hence, this patch (re)introduces it.
[1] <http://pubs.opengroup.org/onlinepubs/009695399/functions/fwscanf.html>
--
| -rw-r--r-- | newlib/libc/stdio/vfwscanf.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/newlib/libc/stdio/vfwscanf.c b/newlib/libc/stdio/vfwscanf.c index 0464b0837..ffb6cc85b 100644 --- a/newlib/libc/stdio/vfwscanf.c +++ b/newlib/libc/stdio/vfwscanf.c @@ -602,6 +602,7 @@ __SVFWSCANF_R (struct _reent *rptr, case L'*': if ((flags & (CHAR | SHORT | LONG | LONGDBL | SUPPRESS | MALLOC)) || width) + goto match_failure; flags |= SUPPRESS; goto again; case L'l': |