fix uninitialized/stale use of alloc (%m modifier) flag in scanf

for conversion specifiers, alloc is always set when the specifier is
parsed. however, if scanf stops due to mismatching literal text,
either an uninitialized (if no conversions have been performed yet) or
stale (from the previous conversion) of the flag will be used,
possibly causing an invalid pointer to be passed to free when the
function returns.

diff --git a/src/stdio/vfscanf.c b/src/stdio/vfscanf.c
index bb9284809846473f09a2ca3aab0de7fd0e2bbab9..68c8e2cf2fd9fcb2f98624d1961c8390ddab8c0e 100644 (file)
--- a/src/stdio/vfscanf.c
+++ b/src/stdio/vfscanf.c
@@ -81,6 +81,8 @@ int vfscanf(FILE *restrict f, const char *restrict fmt, va_list ap)
 
        for (p=(const unsigned char *)fmt; *p; p++) {
 
+               alloc = 0;
+
                if (isspace(*p)) {
                        while (isspace(p[1])) p++;
                        shlim(f, 0);

diff --git a/src/stdio/vfwscanf.c b/src/stdio/vfwscanf.c
index 760864ff97b3800508fdcf264b80b4cd6ba7ce3b..44fac78e0f069086ab3ebcaaccd3eb8db6a80b6e 100644 (file)
--- a/src/stdio/vfwscanf.c
+++ b/src/stdio/vfwscanf.c
@@ -109,6 +109,8 @@ int vfwscanf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap)
 
        for (p=fmt; *p; p++) {
 
+               alloc = 0;
+
                if (iswspace(*p)) {
                        while (iswspace(p[1])) p++;
                        while (iswspace((c=getwc(f)))) pos++;