[PATCH v2 2/3] msvcrt: Verify format string to prevent buffer overrun
janisozaur at gmail.com
janisozaur at gmail.com
Sun Jul 29 16:25:16 CDT 2018
From: Michał Janiszewski <janisozaur at gmail.com>
An unexpected format string of form "%" can cause scanf() family of
functions to read past end of it.
Signed-off-by: Michał Janiszewski <janisozaur at gmail.com>
---
dlls/msvcrt/scanf.h | 2 +-
dlls/msvcrt/tests/scanf.c | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h
index 68585468fe..138d4351a2 100644
--- a/dlls/msvcrt/scanf.h
+++ b/dlls/msvcrt/scanf.h
@@ -686,7 +686,7 @@ _FUNCTION_ {
* use %%." */
while ((nch!=_EOF_) && _ISSPACE_(nch))
nch = _GETC_(file);
- if ((_CHAR_)nch == *format) {
+ if (*format && (_CHAR_)nch == *format) {
suppress = 1; /* whoops no field to be read */
st = 1; /* but we got what we expected */
nch = _GETC_(file);
diff --git a/dlls/msvcrt/tests/scanf.c b/dlls/msvcrt/tests/scanf.c
index e1e351e0bb..06165558c5 100644
--- a/dlls/msvcrt/tests/scanf.c
+++ b/dlls/msvcrt/tests/scanf.c
@@ -300,6 +300,12 @@ static void test_sscanf_s(void)
ok(ret == 1, "Wrong number of arguments read: %d\n", ret);
ok(!strcmp(" ", buf), "buf = %s\n", buf);
+ memset(buf, 'a', sizeof(buf));
+ buf[4] = 0;
+ ret = psscanf_s(" ", "%", buf, 2);
+ ok(ret == EOF, "Wrong number of arguments read: %d\n", ret);
+ ok(!strcmp("aaaa", buf), "buf = %s\n", buf);
+
i = 1;
ret = psscanf_s("123 123", "%s %d", buf, 2, &i);
ok(ret == 0, "Wrong number of arguments read: %d\n", ret);
--
2.18.0
More information about the wine-devel
mailing list