[PATCH] msvcrt: Verify format string before reading past end of it
janisozaur at gmail.com
janisozaur at gmail.com
Sat Jul 28 16:31:47 CDT 2018
From: Michał Janiszewski <janisozaur at gmail.com>
In some cases, e.g. unterminated selection specifier (%[]) could make
scanf() family of functions could keep reading from the format string
past end of it.
Add a check to verify when format string ends, rather than blindly
expect the termination to happen.
Signed-off-by: Michał Janiszewski <janisozaur at gmail.com>
---
dlls/msvcrt/scanf.h | 2 +-
dlls/msvcrt/tests/scanf.c | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h
index 0903d6909a..68585468fe 100644
--- a/dlls/msvcrt/scanf.h
+++ b/dlls/msvcrt/scanf.h
@@ -637,7 +637,7 @@ _FUNCTION_ {
while(*format && (*format != ']')) {
/* According to msdn:
* "Note that %[a-z] and %[z-a] are interpreted as equivalent to %[abcde...z]." */
- if((*format == '-') && (*(format + 1) != ']')) {
+ if((*format == '-') && *(format + 1) && (*(format + 1) != ']')) {
if ((*(format - 1)) < *(format + 1))
RtlSetBits(&bitMask, *(format - 1) +1 , *(format + 1) - *(format - 1));
else
diff --git a/dlls/msvcrt/tests/scanf.c b/dlls/msvcrt/tests/scanf.c
index b7244835ac..e1e351e0bb 100644
--- a/dlls/msvcrt/tests/scanf.c
+++ b/dlls/msvcrt/tests/scanf.c
@@ -294,6 +294,12 @@ static void test_sscanf_s(void)
ret = psscanf_s("123", "%3c", buf, 3);
ok(!strcmp("123a", buf), "buf = %s\n", buf);
+ /* Test to verify how unterminated and invalid sequence gets handled */
+ memset(buf, 'a', sizeof(buf));
+ ret = psscanf_s(" ", "%[-", buf, 2);
+ ok(ret == 1, "Wrong number of arguments read: %d\n", ret);
+ ok(!strcmp(" ", buf), "buf = %s\n", buf);
+
i = 1;
ret = psscanf_s("123 123", "%s %d", buf, 2, &i);
ok(ret == 0, "Wrong number of arguments read: %d\n", ret);
--
2.18.0
More information about the wine-devel
mailing list