aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schwab <schwab@suse.de>2013-01-14 17:32:20 +0100
committerAndreas Schwab <schwab@suse.de>2013-04-11 10:24:37 +0200
commit6ecec3b616aeaf121c68c1053cd17fdcf0cdb5a2 (patch)
treef6e388cdb8eff711e7f0af5af0cf77cff1404b70
parent273cdee86d86e107c0eecef5614f57e37567b54e (diff)
downloadglibc-6ecec3b616aeaf121c68c1053cd17fdcf0cdb5a2.zip
glibc-6ecec3b616aeaf121c68c1053cd17fdcf0cdb5a2.tar.gz
glibc-6ecec3b616aeaf121c68c1053cd17fdcf0cdb5a2.tar.bz2
Don't accept exp char without preceding digits in scanf float parsing
-rw-r--r--ChangeLog6
-rw-r--r--NEWS12
-rw-r--r--stdio-common/Makefile2
-rw-r--r--stdio-common/bug26.c37
-rw-r--r--stdio-common/vfscanf.c16
5 files changed, 61 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog
index 6313627..c64d690 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2013-04-11 Andreas Schwab <schwab@suse.de>
+ [BZ #13988]
+ * stdio-common/vfscanf.c (_IO_vfwscanf): When parsing a float
+ accept exponent character only when digits were seen.
+ * stdio-common/Makefile (tests): Add bug26.
+ * stdio-common/bug26.c: New file.
+
[BZ #14293]
* elf/dl-load.c (_dl_init_paths): Mark decomposed RUNPATH as
non-freeable.
diff --git a/NEWS b/NEWS
index 639b1f0..66efb82 100644
--- a/NEWS
+++ b/NEWS
@@ -9,12 +9,12 @@ Version 2.18
* The following bugs are resolved with this release:
- 10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 14142,
- 14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812, 14920,
- 14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, 15023,
- 15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, 15283,
- 15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, 15336,
- 15337, 15342, 15346.
+ 10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 13988,
+ 14142, 14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812,
+ 14920, 14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020,
+ 15023, 15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234,
+ 15283, 15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335,
+ 15336, 15337, 15342, 15346.
* CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
#15078).
diff --git a/stdio-common/Makefile b/stdio-common/Makefile
index f64a8ba..658804b 100644
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \
- bug25 tst-printf-round
+ bug25 tst-printf-round bug26
test-srcs = tst-unbputc tst-printf
diff --git a/stdio-common/bug26.c b/stdio-common/bug26.c
new file mode 100644
index 0000000..a4c6bce
--- /dev/null
+++ b/stdio-common/bug26.c
@@ -0,0 +1,37 @@
+/* Copyright (C) 2013 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <string.h>
+
+int
+main (void)
+{
+ FILE *f;
+ int lost = 0;
+ int c;
+ double d;
+ char s[] = "+.e";
+
+ f = fmemopen (s, strlen (s), "r");
+ /* This should fail to parse a float and leave 'e' in the input. */
+ lost |= (fscanf (f, "%f", &d) != 0);
+ c = fgetc (f);
+ lost |= c != 'e';
+ puts (lost ? "Test FAILED!" : "Test succeeded.");
+ return lost;
+}
diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index 9b5c4a9..82f7eee 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -222,7 +222,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
/* Errno of last failed inchar call. */
int inchar_errno = 0;
/* Status for reading F-P nums. */
- char got_dot, got_e, negative;
+ char got_digit, got_dot, got_e, negative;
/* If a [...] is a [^...]. */
CHAR_T not_in;
#define exp_char not_in
@@ -1845,7 +1845,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
if (__builtin_expect (c == EOF, 0))
input_error ();
- got_dot = got_e = 0;
+ got_digit = got_dot = got_e = 0;
/* Check for a sign. */
if (c == L_('-') || c == L_('+'))
@@ -1971,13 +1971,19 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
while (1)
{
if (ISDIGIT (c))
- ADDW (c);
+ {
+ ADDW (c);
+ got_digit = 1;
+ }
else if (!got_e && (flags & HEXA_FLOAT) && ISXDIGIT (c))
- ADDW (c);
+ {
+ ADDW (c);
+ got_digit = 1;
+ }
else if (got_e && wp[wpsize - 1] == exp_char
&& (c == L_('-') || c == L_('+')))
ADDW (c);
- else if (wpsize > 0 && !got_e
+ else if (got_digit && !got_e
&& (CHAR_T) TOLOWER (c) == exp_char)
{
ADDW (exp_char);