[PATCH v2 2/3] msvcrt: Verify format string to prevent buffer overrun

[janisozaur at gmail.com]

From: Michał Janiszewski <janisozaur at gmail.com>

An unexpected format string of form "%" can cause scanf() family of
functions to read past end of it.

Signed-off-by: Michał Janiszewski <janisozaur at gmail.com>
---
 dlls/msvcrt/scanf.h       | 2 +-
 dlls/msvcrt/tests/scanf.c | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h
index 68585468fe..138d4351a2 100644
--- a/dlls/msvcrt/scanf.h
+++ b/dlls/msvcrt/scanf.h
@@ -686,7 +686,7 @@ _FUNCTION_ {
 		 * use %%." */
                 while ((nch!=_EOF_) && _ISSPACE_(nch))
                     nch = _GETC_(file);
-                if ((_CHAR_)nch == *format) {
+                if (*format && (_CHAR_)nch == *format) {
                     suppress = 1; /* whoops no field to be read */
                     st = 1; /* but we got what we expected */
                     nch = _GETC_(file);
diff --git a/dlls/msvcrt/tests/scanf.c b/dlls/msvcrt/tests/scanf.c
index e1e351e0bb..06165558c5 100644
--- a/dlls/msvcrt/tests/scanf.c
+++ b/dlls/msvcrt/tests/scanf.c
@@ -300,6 +300,12 @@ static void test_sscanf_s(void)
     ok(ret == 1, "Wrong number of arguments read: %d\n", ret);
     ok(!strcmp(" ", buf), "buf = %s\n", buf);
 
+    memset(buf, 'a', sizeof(buf));
+    buf[4] = 0;
+    ret = psscanf_s(" ", "%", buf, 2);
+    ok(ret == EOF, "Wrong number of arguments read: %d\n", ret);
+    ok(!strcmp("aaaa", buf), "buf = %s\n", buf);
+
     i = 1;
     ret = psscanf_s("123 123", "%s %d", buf, 2, &i);
     ok(ret == 0, "Wrong number of arguments read: %d\n", ret);
-- 
2.18.0