mirror of
git://sourceware.org/git/glibc.git
synced 2024-11-27 03:41:23 +08:00
Do not let scanf("%4p") accept "(nil)". Fixes bug 16055
This commit is contained in:
parent
dd8082389e
commit
728dab0e13
@ -1,3 +1,10 @@
|
||||
2013-11-07 Ondřej Bílka <neleai@seznam.cz>
|
||||
|
||||
[BZ #16055]
|
||||
* stdio-common/vfscanf.c (_IO_vfscanf_internal): Limit width
|
||||
when we match (nil).
|
||||
* stdio-common/tst-sscanf.c (struct test): Add testcase.
|
||||
|
||||
2013-11-16 Joseph Myers <joseph@codesourcery.com>
|
||||
|
||||
* math/libm-test.inc (TEST_NAN_SIGN): New macro.
|
||||
|
4
NEWS
4
NEWS
@ -17,8 +17,8 @@ Version 2.19
|
||||
15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, 15886,
|
||||
15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, 15919,
|
||||
15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, 16032,
|
||||
16034, 16036, 16037, 16041, 16071, 16072, 16074, 16078, 16103, 16112,
|
||||
16143, 16146, 16150, 16151, 16153, 16167, 16172.
|
||||
16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, 16103,
|
||||
16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172.
|
||||
|
||||
* CVE-2012-4412 The strcoll implementation caches indices and rules for
|
||||
large collation sequences to optimize multiple passes. This cache
|
||||
|
@ -92,6 +92,8 @@ struct test
|
||||
{ L("foo bar"), L("foo bar"), 0 },
|
||||
{ L("foo bar"), L("foo %d"), 0 },
|
||||
{ L("foo bar"), L("foon%d"), 0 },
|
||||
{ L("foo (nil)"), L("foo %p"), 1},
|
||||
{ L("foo (nil)"), L("foo %4p"), 0},
|
||||
{ L("foo "), L("foo %n"), 0 },
|
||||
{ L("foo%bar1"), L("foo%%bar%d"), 1 },
|
||||
/* Some OSes skip whitespace here while others don't. */
|
||||
|
@ -1757,7 +1757,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
|
||||
we must recognize "(nil)" as well. */
|
||||
if (__builtin_expect (wpsize == 0
|
||||
&& (flags & READ_POINTER)
|
||||
&& (width < 0 || width >= 0)
|
||||
&& (width < 0 || width >= 5)
|
||||
&& c == '('
|
||||
&& TOLOWER (inchar ()) == L_('n')
|
||||
&& TOLOWER (inchar ()) == L_('i')
|
||||
|
Loading…
Reference in New Issue
Block a user