From: Michał Janiszewski janisozaur@gmail.com
In some cases, e.g. unterminated selection specifier (%[]) could make scanf() family of functions could keep reading from the format string past end of it.
Add a check to verify when format string ends, rather than blindly expect the termination to happen.
Signed-off-by: Michał Janiszewski janisozaur@gmail.com --- dlls/msvcrt/scanf.h | 2 +- dlls/msvcrt/tests/scanf.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h index 0903d6909a..68585468fe 100644 --- a/dlls/msvcrt/scanf.h +++ b/dlls/msvcrt/scanf.h @@ -637,7 +637,7 @@ _FUNCTION_ { while(*format && (*format != ']')) { /* According to msdn: * "Note that %[a-z] and %[z-a] are interpreted as equivalent to %[abcde...z]." */ - if((*format == '-') && (*(format + 1) != ']')) { + if((*format == '-') && *(format + 1) && (*(format + 1) != ']')) { if ((*(format - 1)) < *(format + 1)) RtlSetBits(&bitMask, *(format - 1) +1 , *(format + 1) - *(format - 1)); else diff --git a/dlls/msvcrt/tests/scanf.c b/dlls/msvcrt/tests/scanf.c index b7244835ac..e1e351e0bb 100644 --- a/dlls/msvcrt/tests/scanf.c +++ b/dlls/msvcrt/tests/scanf.c @@ -294,6 +294,12 @@ static void test_sscanf_s(void) ret = psscanf_s("123", "%3c", buf, 3); ok(!strcmp("123a", buf), "buf = %s\n", buf);
+ /* Test to verify how unterminated and invalid sequence gets handled */ + memset(buf, 'a', sizeof(buf)); + ret = psscanf_s(" ", "%[-", buf, 2); + ok(ret == 1, "Wrong number of arguments read: %d\n", ret); + ok(!strcmp(" ", buf), "buf = %s\n", buf); + i = 1; ret = psscanf_s("123 123", "%s %d", buf, 2, &i); ok(ret == 0, "Wrong number of arguments read: %d\n", ret);