[PATCH 3/3] msvcrt: Update size checks for secure scanf versions

janisozaur at gmail.com janisozaur at gmail.com
Sun Jul 1 16:51:24 CDT 2018


From: Michał Janiszewski <janisozaur at gmail.com>

Limit damage done by a case

    char buffer[1];
    sscanf_s("xx", "%2c", buffer, 1);

where it would try writing 'x' to buffer[1].

It is still not entirely correct, as according to
https://en.cppreference.com/w/c/io/fwscanf, "The size of the destination
array must be at least one greater than the specified field width" but
the final byte is reserved for NULL terminator.

Signed-off-by: Michał Janiszewski <janisozaur at gmail.com>
---
 dlls/msvcrt/scanf.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h
index 734fe8bb98..5393e36f23 100644
--- a/dlls/msvcrt/scanf.h
+++ b/dlls/msvcrt/scanf.h
@@ -549,7 +549,7 @@ _FUNCTION_ {
                     {
                         if (!suppress) {
                             *str++ = _CHAR2SUPPORTED_(nch);
-                            if(size) size--;
+                            if(size > 1) size--;
                             else {
                                 _UNLOCK_FILE_(file);
                                 *pstr = 0;
@@ -575,7 +575,7 @@ _FUNCTION_ {
                     {
                         if (!suppress) {
                             *str++ = _WIDE2SUPPORTED_(nch);
-                            if(size) size--;
+                            if(size > 1) size--;
                             else {
                                 _UNLOCK_FILE_(file);
                                 *pstr = 0;
-- 
2.17.1




More information about the wine-devel mailing list