diff options
| author | Maciej W. Rozycki <macro@redhat.com> | 2025-08-23 01:02:10 +0100 |
|---|---|---|
| committer | Maciej W. Rozycki <macro@redhat.com> | 2025-08-23 01:02:46 +0100 |
| commit | 67d2c9e3b71314c667feca730f9eefc47bcb8681 (patch) | |
| tree | bda6a77f3295bcabbf8c8445453460f01d16f960 | |
| parent | da2a2581c43dcad228bc89bce24d0cafa3b485f3 (diff) | |
| download | glibc-67d2c9e3b71314c667feca730f9eefc47bcb8681.zip glibc-67d2c9e3b71314c667feca730f9eefc47bcb8681.tar.gz glibc-67d2c9e3b71314c667feca730f9eefc47bcb8681.tar.bz2 | |
stdio-common: Fix a crash in scanf input specifier tests [BZ #32857]
Fix a null pointer dereference causing a crash in 'read_real' when the
terminating null character is written for use with the subsequent call
to 'nan' for NaN reference input using null 'n-char-sequence', such as:
%a:nan():1:5:nan():
by moving the memory allocation call ahead of the check for the closing
parenthesis.
No test case added as it's a test case issue in the first place.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
| -rw-r--r-- | stdio-common/tst-scanf-format-real.h | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/stdio-common/tst-scanf-format-real.h b/stdio-common/tst-scanf-format-real.h index fc7f39e..9ed8dc0 100644 --- a/stdio-common/tst-scanf-format-real.h +++ b/stdio-common/tst-scanf-format-real.h @@ -207,6 +207,11 @@ out: \ if (ch == '(') \ while (1) \ { \ + if (i == seq_size) \ + { \ + seq_size += SIZE_CHUNK; \ + seq = xrealloc (seq, seq_size); \ + } \ ch = read_input (); \ if (ch == ')') \ break; \ @@ -219,11 +224,6 @@ out: \ v = NAN; \ goto out; \ } \ - if (i == seq_size) \ - { \ - seq_size += SIZE_CHUNK; \ - seq = xrealloc (seq, seq_size); \ - } \ seq[i++] = ch; \ } \ seq[i] = '\0'; \ |