This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.18-397-g728dab0
- From: neleai at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 18 Nov 2013 11:43:30 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.18-397-g728dab0
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 728dab0e13529ba8778e6ef07e2cc80eddf028b5 (commit)
from dd8082389e5448c3e716de8431817b30565a48d3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=728dab0e13529ba8778e6ef07e2cc80eddf028b5
commit 728dab0e13529ba8778e6ef07e2cc80eddf028b5
Author: OndÅ?ej BÃlka <neleai@seznam.cz>
Date: Mon Nov 18 12:41:00 2013 +0100
Do not let scanf("%4p") accept "(nil)". Fixes bug 16055
diff --git a/ChangeLog b/ChangeLog
index 7e543af..8ecba52 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-11-07 OndÅ?ej BÃlka <neleai@seznam.cz>
+
+ [BZ #16055]
+ * stdio-common/vfscanf.c (_IO_vfscanf_internal): Limit width
+ when we match (nil).
+ * stdio-common/tst-sscanf.c (struct test): Add testcase.
+
2013-11-16 Joseph Myers <joseph@codesourcery.com>
* math/libm-test.inc (TEST_NAN_SIGN): New macro.
diff --git a/NEWS b/NEWS
index f803fa6..fc1b63c 100644
--- a/NEWS
+++ b/NEWS
@@ -17,8 +17,8 @@ Version 2.19
15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, 15886,
15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, 15919,
15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, 16032,
- 16034, 16036, 16037, 16041, 16071, 16072, 16074, 16078, 16103, 16112,
- 16143, 16146, 16150, 16151, 16153, 16167, 16172.
+ 16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, 16103,
+ 16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172.
* CVE-2012-4412 The strcoll implementation caches indices and rules for
large collation sequences to optimize multiple passes. This cache
diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
index 3c34f58..a77bc7e 100644
--- a/stdio-common/tst-sscanf.c
+++ b/stdio-common/tst-sscanf.c
@@ -92,6 +92,8 @@ struct test
{ L("foo bar"), L("foo bar"), 0 },
{ L("foo bar"), L("foo %d"), 0 },
{ L("foo bar"), L("foon%d"), 0 },
+ { L("foo (nil)"), L("foo %p"), 1},
+ { L("foo (nil)"), L("foo %4p"), 0},
{ L("foo "), L("foo %n"), 0 },
{ L("foo%bar1"), L("foo%%bar%d"), 1 },
/* Some OSes skip whitespace here while others don't. */
diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index e6fa8f3..c0b93ae 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -1757,7 +1757,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
we must recognize "(nil)" as well. */
if (__builtin_expect (wpsize == 0
&& (flags & READ_POINTER)
- && (width < 0 || width >= 0)
+ && (width < 0 || width >= 5)
&& c == '('
&& TOLOWER (inchar ()) == L_('n')
&& TOLOWER (inchar ()) == L_('i')
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 7 +++++++
NEWS | 4 ++--
stdio-common/tst-sscanf.c | 2 ++
stdio-common/vfscanf.c | 2 +-
4 files changed, 12 insertions(+), 3 deletions(-)
hooks/post-receive
--
GNU C Library master sources