[PATCH 3/3] msvcrt: Update size checks for secure scanf versions
janisozaur at gmail.com
janisozaur at gmail.com
Sun Jul 1 16:51:24 CDT 2018
From: Michał Janiszewski <janisozaur at gmail.com>
Limit damage done by a case
char buffer[1];
sscanf_s("xx", "%2c", buffer, 1);
where it would try writing 'x' to buffer[1].
It is still not entirely correct, as according to
https://en.cppreference.com/w/c/io/fwscanf, "The size of the destination
array must be at least one greater than the specified field width" but
the final byte is reserved for NULL terminator.
Signed-off-by: Michał Janiszewski <janisozaur at gmail.com>
---
dlls/msvcrt/scanf.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h
index 734fe8bb98..5393e36f23 100644
--- a/dlls/msvcrt/scanf.h
+++ b/dlls/msvcrt/scanf.h
@@ -549,7 +549,7 @@ _FUNCTION_ {
{
if (!suppress) {
*str++ = _CHAR2SUPPORTED_(nch);
- if(size) size--;
+ if(size > 1) size--;
else {
_UNLOCK_FILE_(file);
*pstr = 0;
@@ -575,7 +575,7 @@ _FUNCTION_ {
{
if (!suppress) {
*str++ = _WIDE2SUPPORTED_(nch);
- if(size) size--;
+ if(size > 1) size--;
else {
_UNLOCK_FILE_(file);
*pstr = 0;
--
2.17.1
More information about the wine-devel
mailing list