From: Rich Felker Date: Sat, 20 Jul 2013 04:21:11 +0000 (-0400) Subject: fix uninitialized/stale use of alloc (%m modifier) flag in scanf X-Git-Tag: v0.9.12~55 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1d92cddb1e1ed4b6cc0e55461727561e7a2522e0;p=oweals%2Fmusl.git fix uninitialized/stale use of alloc (%m modifier) flag in scanf for conversion specifiers, alloc is always set when the specifier is parsed. however, if scanf stops due to mismatching literal text, either an uninitialized (if no conversions have been performed yet) or stale (from the previous conversion) of the flag will be used, possibly causing an invalid pointer to be passed to free when the function returns. --- diff --git a/src/stdio/vfscanf.c b/src/stdio/vfscanf.c index bb928480..68c8e2cf 100644 --- a/src/stdio/vfscanf.c +++ b/src/stdio/vfscanf.c @@ -81,6 +81,8 @@ int vfscanf(FILE *restrict f, const char *restrict fmt, va_list ap) for (p=(const unsigned char *)fmt; *p; p++) { + alloc = 0; + if (isspace(*p)) { while (isspace(p[1])) p++; shlim(f, 0); diff --git a/src/stdio/vfwscanf.c b/src/stdio/vfwscanf.c index 760864ff..44fac78e 100644 --- a/src/stdio/vfwscanf.c +++ b/src/stdio/vfwscanf.c @@ -109,6 +109,8 @@ int vfwscanf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap) for (p=fmt; *p; p++) { + alloc = 0; + if (iswspace(*p)) { while (iswspace(p[1])) p++; while (iswspace((c=getwc(f)))) pos++;