[PATCH v2 3/3] msvcrt: Prevent buffer overrun in scanf()
janisozaur at gmail.com
janisozaur at gmail.com
Sun Jul 29 16:25:17 CDT 2018
From: Michał Janiszewski <janisozaur at gmail.com>
Some unexpected sequences can buffer overrun due to insufficient format
string verification.
This patch fixes buffer overrun for format string of form "%[^"
Signed-off-by: Michał Janiszewski <janisozaur at gmail.com>
---
dlls/msvcrt/scanf.h | 2 +-
dlls/msvcrt/tests/scanf.c | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h
index 138d4351a2..04e06f6882 100644
--- a/dlls/msvcrt/scanf.h
+++ b/dlls/msvcrt/scanf.h
@@ -704,7 +704,7 @@ _FUNCTION_ {
nch = _GETC_(file);
} else break;
}
- format++;
+ if (*format) format++;
}
if (nch!=_EOF_) {
_UNGETC_(nch, file);
diff --git a/dlls/msvcrt/tests/scanf.c b/dlls/msvcrt/tests/scanf.c
index 06165558c5..7c005ae14f 100644
--- a/dlls/msvcrt/tests/scanf.c
+++ b/dlls/msvcrt/tests/scanf.c
@@ -306,6 +306,12 @@ static void test_sscanf_s(void)
ok(ret == EOF, "Wrong number of arguments read: %d\n", ret);
ok(!strcmp("aaaa", buf), "buf = %s\n", buf);
+ memset(buf, 'a', sizeof(buf));
+ buf[4] = 0;
+ ret = psscanf_s(" ", "%[^", buf, 2);
+ ok(ret == 0, "Wrong number of arguments read: %d\n", ret);
+ ok(!strcmp("aaaa", buf), "buf = %s\n", buf);
+
i = 1;
ret = psscanf_s("123 123", "%s %d", buf, 2, &i);
ok(ret == 0, "Wrong number of arguments read: %d\n", ret);
--
2.18.0
More information about the wine-devel
mailing list