[PATCH 2/2] msvcrt: Prevent buffer overrun in scanf()
janisozaur at gmail.com
janisozaur at gmail.com
Sun Jul 29 16:10:00 CDT 2018
From: Michał Janiszewski <janisozaur at gmail.com>
Some unexpected sequences can buffer overrun due to insufficient format
string verification.
This patch fixes buffer overrun for format string of form "%[^"
Signed-off-by: Michał Janiszewski <janisozaur at gmail.com>
---
dlls/msvcrt/scanf.h | 2 +-
dlls/msvcrt/tests/scanf.c | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h
index 138d4351a2..04e06f6882 100644
--- a/dlls/msvcrt/scanf.h
+++ b/dlls/msvcrt/scanf.h
@@ -704,7 +704,7 @@ _FUNCTION_ {
nch = _GETC_(file);
} else break;
}
- format++;
+ if (*format) format++;
}
if (nch!=_EOF_) {
_UNGETC_(nch, file);
diff --git a/dlls/msvcrt/tests/scanf.c b/dlls/msvcrt/tests/scanf.c
index 5e961f19b0..0eb4e4e95d 100644
--- a/dlls/msvcrt/tests/scanf.c
+++ b/dlls/msvcrt/tests/scanf.c
@@ -306,6 +306,11 @@ static void test_sscanf_s(void)
ok(ret == 0, "Wrong number of arguments read: %d\n", ret);
ok(!strcmp("aaa", buf), "buf = %s\n", buf);
+ memset(buf, 'a', sizeof(buf));
+ ret = psscanf_s(" ", "%[^", buf, 2);
+ ok(ret == 1, "Wrong number of arguments read: %d\n", ret);
+ ok(!strcmp(" ", buf), "buf = %s\n", buf);
+
i = 1;
ret = psscanf_s("123 123", "%s %d", buf, 2, &i);
ok(ret == 0, "Wrong number of arguments read: %d\n", ret);
--
2.18.0
More information about the wine-devel
mailing list