JehanneOS
/
newlib
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix a potential buffer overflow in wscanf family 

Fixes Coverity CID 60046

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
Corinna Vinschen 2016-10-22 21:43:28 +02:00
parent 94f40db019
commit 941df759a2
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
newlib/libc/stdio/vfwscanf.c
View File

@ -1173,14 +1173,14 @@ _DEFUN(__SVFWSCANF_R, (rptr, fp, fmt0, ap),
char nancount = 0;
char infcount = 0;
#ifdef hardway
if (width == 0 || width > sizeof (buf) - 1)
if (width == 0 || width > sizeof (buf) / sizeof (*buf) - 1)
#else
/* size_t is unsigned, hence this optimisation */
if (width - 1 > sizeof (buf) - 2)
if (width - 1 > sizeof (buf) / sizeof (*buf) - 2)
#endif
{
width_left = width - (sizeof (buf) - 1);
width = sizeof (buf) - 1;
width_left = width - (sizeof (buf) / sizeof (*buf) - 1);
width = sizeof (buf) / sizeof (*buf) - 1;
}
flags |= SIGNOK | NDIGITS | DPTOK | EXPOK;
zeroes = 0;
@ -1431,8 +1431,10 @@ _DEFUN(__SVFWSCANF_R, (rptr, fp, fmt0, ap),
/* If there might not be enough space for the new exponent,
truncate some trailing digits to make room. */
if (exp_start >= buf + sizeof (buf) - MAX_LONG_LEN)
exp_start = buf + sizeof (buf) - MAX_LONG_LEN - 1;
if (exp_start >= buf + sizeof (buf) / sizeof (*buf)
- MAX_LONG_LEN)
exp_start = buf + sizeof (buf) / sizeof (*buf)
- MAX_LONG_LEN - 1;
swprintf (exp_start, MAX_LONG_LEN, L"e%ld", new_exp);
}