From: Michał Janiszewski janisozaur@gmail.com
An unexpected format string of form "%" can cause scanf() family of functions to read past end of it.
Signed-off-by: Michał Janiszewski janisozaur@gmail.com --- dlls/msvcrt/scanf.h | 2 +- dlls/msvcrt/tests/scanf.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h index 68585468fe..138d4351a2 100644 --- a/dlls/msvcrt/scanf.h +++ b/dlls/msvcrt/scanf.h @@ -686,7 +686,7 @@ _FUNCTION_ { * use %%." */ while ((nch!=_EOF_) && _ISSPACE_(nch)) nch = _GETC_(file); - if ((_CHAR_)nch == *format) { + if (*format && (_CHAR_)nch == *format) { suppress = 1; /* whoops no field to be read */ st = 1; /* but we got what we expected */ nch = _GETC_(file); diff --git a/dlls/msvcrt/tests/scanf.c b/dlls/msvcrt/tests/scanf.c index e1e351e0bb..5e961f19b0 100644 --- a/dlls/msvcrt/tests/scanf.c +++ b/dlls/msvcrt/tests/scanf.c @@ -300,6 +300,12 @@ static void test_sscanf_s(void) ok(ret == 1, "Wrong number of arguments read: %d\n", ret); ok(!strcmp(" ", buf), "buf = %s\n", buf);
+ memset(buf, 'a', sizeof(buf)); + buf[4] = 0; + ret = psscanf_s(" ", "%", buf, 2); + ok(ret == 0, "Wrong number of arguments read: %d\n", ret); + ok(!strcmp("aaa", buf), "buf = %s\n", buf); + i = 1; ret = psscanf_s("123 123", "%s %d", buf, 2, &i); ok(ret == 0, "Wrong number of arguments read: %d\n", ret);
From: Michał Janiszewski janisozaur@gmail.com
Some unexpected sequences can buffer overrun due to insufficient format string verification.
This patch fixes buffer overrun for format string of form "%[^"
Signed-off-by: Michał Janiszewski janisozaur@gmail.com --- dlls/msvcrt/scanf.h | 2 +- dlls/msvcrt/tests/scanf.c | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h index 138d4351a2..04e06f6882 100644 --- a/dlls/msvcrt/scanf.h +++ b/dlls/msvcrt/scanf.h @@ -704,7 +704,7 @@ _FUNCTION_ { nch = _GETC_(file); } else break; } - format++; + if (*format) format++; } if (nch!=_EOF_) { _UNGETC_(nch, file); diff --git a/dlls/msvcrt/tests/scanf.c b/dlls/msvcrt/tests/scanf.c index 5e961f19b0..0eb4e4e95d 100644 --- a/dlls/msvcrt/tests/scanf.c +++ b/dlls/msvcrt/tests/scanf.c @@ -306,6 +306,11 @@ static void test_sscanf_s(void) ok(ret == 0, "Wrong number of arguments read: %d\n", ret); ok(!strcmp("aaa", buf), "buf = %s\n", buf);
+ memset(buf, 'a', sizeof(buf)); + ret = psscanf_s(" ", "%[^", buf, 2); + ok(ret == 1, "Wrong number of arguments read: %d\n", ret); + ok(!strcmp(" ", buf), "buf = %s\n", buf); + i = 1; ret = psscanf_s("123 123", "%s %d", buf, 2, &i); ok(ret == 0, "Wrong number of arguments read: %d\n", ret);
Hi,
While running your changed tests on Windows, I think I found new failures. Being a bot and all I'm not very good at pattern recognition, so I might be wrong, but could you please double-check?
Full results can be found at: https://testbot.winehq.org/JobDetails.pl?Key=40281
Your paranoid android.
=== build (build) === error: patch failed: dlls/msvcrt/tests/scanf.c:300 error: patch failed: dlls/msvcrt/tests/scanf.c:306 Build: Patch failed to apply
=== debian9 (build) === error: patch failed: dlls/msvcrt/tests/scanf.c:300 error: patch failed: dlls/msvcrt/tests/scanf.c:306 Task: Patch failed to apply
Hi,
While running your changed tests on Windows, I think I found new failures. Being a bot and all I'm not very good at pattern recognition, so I might be wrong, but could you please double-check?
Full results can be found at: https://testbot.winehq.org/JobDetails.pl?Key=40280
Your paranoid android.
=== build (build) === error: patch failed: dlls/msvcrt/tests/scanf.c:300 Build: Patch failed to apply
=== debian9 (build) === error: patch failed: dlls/msvcrt/tests/scanf.c:300 Task: Patch failed to apply
-
janisozaur@gmail.com -
Marvin