This is the mail archive of the libc-hacker@sourceware.cygnus.com mailing list for the glibc project.

Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

Re: [PATCH] Fix *scanf's character range

To: Jonathan Kamens <jik at kamens dot brookline dot ma dot us>
Subject: Re: [PATCH] Fix *scanf's character range
From: Jakub Jelinek <jakub at redhat dot com>
Date: Mon, 22 May 2000 14:54:39 +0200
Cc: libc-hacker at sourceware dot cygnus dot com
References: <20000522122028.H474@sunsite.ms.mff.cuni.cz> <200005221153.e4MBr8C17728@jik.kamens.brookline.ma.us>
Reply-To: Jakub Jelinek <jakub at redhat dot com>

On Mon, May 22, 2000 at 07:53:08AM -0400, Jonathan Kamens wrote:
> >  Date: Mon, 22 May 2000 12:20:28 +0200
> >  From: Jakub Jelinek <jakub@redhat.com>
> >  
> >  Actually, I have no idea why the test was added there even if it was e.g. f
> >  - 1 or whatever, because if the test wants to guard against f[-2] being
> >  after the opening [, then this is already guaranteed.
> 
> No, it isn't.  When the "tw = (char *) f" executes, "f" points at the
> first character after the opening '[', unless that character was ']'
> or '-'.  Therefore, "tw" points at the first character after the '['
> too.  That means that the first time through the loop, "fc" is set to
> that first character and "f" is pointing at the second character.
> Therefore, "f - 2" points at the opening "[", which we most certainly
> do not want.
> 
> I believe that the fix which I submitted to bugzilla is correct and
> yours is now -- the test you removed should not be removed, it should
> just be changed from "f - 2" to "f - 1".
> 
> I believe that your fix will cause the scanf format string "%10[--/]",
> which should imply a character range from hyphen to slash, to behave
> incorrectly.
> 
> Mind you, I'm not certain about all of this, since the code is
> somewhat complex and it is difficult to dream up good test cases for
> it, but I've read over the code several times and I think I'm right.

No, ']' and '-' after the opening '[' are handled separately before the
loop:

          fc = *f;
          if (fc == ']' || fc == '-')
            {
              /* If ] or - appears before any char in the set, it is not
                 the terminator or separator, but the first char in the
                 set.  */
              wp[fc] = 1;
              ++f;
            }

so even if fc is '-' in the first while cycle (e.g. for [--/]), then it will
be the second -, fc will be '-', f will point to "/]" and f-2 will be "--/]".
So I'm pretty sure f-2 never points to the opening '[' or before it in the
while loop if fc == '-'.

This programs works correctly with my patch btw:

bash$ cat /tmp/v.c
#include <stdio.h>

main()
{
  char buf[10] = {};
  int num;

  num = sscanf("-...-/X", "%9[--/]", buf);
  printf("num=%d, buf=\"%s\"\n", num, buf);
}
bash$ /tmp/v
num=1, buf="-...-/"

	Jakub

References:
- [PATCH] Fix *scanf's character range
  - From: Jakub Jelinek

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]