diff options
| author | Maciej W. Rozycki <macro@redhat.com> | 2025-08-23 01:02:10 +0100 |
|---|---|---|
| committer | Maciej W. Rozycki <macro@redhat.com> | 2025-08-23 01:02:46 +0100 |
| commit | 27aa1fb73585450cfda1a932e487656a6227329d (patch) | |
| tree | ecedd69788a0835ce5991cbd94f9d4fa3f15a542 | |
| parent | 67d2c9e3b71314c667feca730f9eefc47bcb8681 (diff) | |
| download | glibc-27aa1fb73585450cfda1a932e487656a6227329d.zip glibc-27aa1fb73585450cfda1a932e487656a6227329d.tar.gz glibc-27aa1fb73585450cfda1a932e487656a6227329d.tar.bz2 | |
stdio-common: Fix bad NaN crash in scanf input specifier tests [BZ #32857]
Fix a null pointer dereference causing a crash in 'read_real' when the
terminating null character is written for use with the subsequent call
to 'nan' for invalid NaN reference input, such as:
%a:nan:1:3:nanny:
by moving all the 'n-char-sequence' handling under the check for the
opening parenthesis.
No test case added as it's a test case issue in the first place.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
| -rw-r--r-- | stdio-common/tst-scanf-format-real.h | 64 |
1 files changed, 33 insertions, 31 deletions
diff --git a/stdio-common/tst-scanf-format-real.h b/stdio-common/tst-scanf-format-real.h index 9ed8dc0..93de3ca 100644 --- a/stdio-common/tst-scanf-format-real.h +++ b/stdio-common/tst-scanf-format-real.h @@ -201,41 +201,43 @@ out: \ goto out; \ } \ \ - size_t seq_size = 0; \ - char *seq = NULL; \ - i = 0; \ if (ch == '(') \ - while (1) \ - { \ - if (i == seq_size) \ - { \ - seq_size += SIZE_CHUNK; \ - seq = xrealloc (seq, seq_size); \ - } \ - ch = read_input (); \ - if (ch == ')') \ - break; \ - if (ch != '_' && !isdigit (ch) \ - && !(ch >= 'A' && ch <= 'Z') \ - && !(ch >= 'a' && ch <= 'z')) \ - { \ - free (seq); \ - err = ch < 0 ? ch : INPUT_FORMAT; \ - v = NAN; \ - goto out; \ - } \ - seq[i++] = ch; \ - } \ - seq[i] = '\0'; \ - \ - ch = read_input (); \ - if (ch == ':') \ { \ - v = m ? -nan (v, seq) : nan (v, seq); \ + size_t seq_size = 0; \ + char *seq = NULL; \ + i = 0; \ + while (1) \ + { \ + if (i == seq_size) \ + { \ + seq_size += SIZE_CHUNK; \ + seq = xrealloc (seq, seq_size); \ + } \ + ch = read_input (); \ + if (ch == ')') \ + break; \ + if (ch != '_' && !isdigit (ch) \ + && !(ch >= 'A' && ch <= 'Z') \ + && !(ch >= 'a' && ch <= 'z')) \ + { \ + free (seq); \ + err = ch < 0 ? ch : INPUT_FORMAT; \ + v = NAN; \ + goto out; \ + } \ + seq[i++] = ch; \ + } \ + seq[i] = '\0'; \ + \ + ch = read_input (); \ + if (ch == ':') \ + { \ + v = m ? -nan (v, seq) : nan (v, seq); \ + free (seq); \ + goto out; \ + } \ free (seq); \ - goto out; \ } \ - free (seq); \ } \ err = ch < 0 ? ch : INPUT_FORMAT; \ v = NAN; \ |