Fix vfwscanf(3) assignment suppression flag handling bug

newlib's vfwscanf(3) (or specifically, __SVFWSCANF_R()) fails to correctly set the assignment-suppressing character (`*') flag[1] which, when present in the formatting string, results in undefined behaviour comprising retrieving and dereferencing a pointer that was not supplied by the caller as such or at all. When compared to the vfscanf(3) implementation, this would appear to be over the missing goto match_failure statement preceded by the flags test seen below. Hence, this patch (re)introduces it. [1] <http://pubs.opengroup.org/onlinepubs/009695399/functions/fwscanf.html> --
2019-06-01 10:33:19 +02:00 · 2019-06-01 10:33:19 +02:00 · d5daede26c
parent ee7e49e193
commit d5daede26c
1 changed files with 1 additions and 0 deletions
--- a/newlib/libc/stdio/vfwscanf.c
+++ b/newlib/libc/stdio/vfwscanf.c
@ -602,6 +602,7 @@ __SVFWSCANF_R (struct _reent *rptr,
 	case L'*':
 	  if ((flags & (CHAR | SHORT | LONG | LONGDBL | SUPPRESS | MALLOC))
 	      || width)
+	    goto match_failure;
 	  flags |= SUPPRESS;
 	  goto again;
 	case L'l':