Do not let scanf("%4p") accept "(nil)". Fixes bug 16055

author: Ondřej Bílka <neleai@seznam.cz> 2013-11-18 12:41:00 +0100
committer: Ondřej Bílka <neleai@seznam.cz> 2013-11-18 12:42:23 +0100
commit: 728dab0e13529ba8778e6ef07e2cc80eddf028b5 (patch)
tree: 390911e7cb25cd8ed168393f1e4d194596fa44c6 /stdio-common
parent: dd8082389e5448c3e716de8431817b30565a48d3 (diff)
2 files changed, 3 insertions, 1 deletions
diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
index 3c34f58a63..a77bc7e30b 100644
--- a/stdio-common/tst-sscanf.c
+++ b/stdio-common/tst-sscanf.c
@@ -92,6 +92,8 @@ struct test
   { L("foo bar"), L("foo bar"), 0 },
   { L("foo bar"), L("foo %d"), 0 },
   { L("foo bar"), L("foon%d"), 0 },
+  { L("foo (nil)"), L("foo %p"), 1},
+  { L("foo (nil)"), L("foo %4p"), 0},
   { L("foo "), L("foo %n"), 0 },
   { L("foo%bar1"), L("foo%%bar%d"), 1 },
   /* Some OSes skip whitespace here while others don't.  */
diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index e6fa8f372b..c0b93ae3b7 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -1757,7 +1757,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 		 we must recognize "(nil)" as well.  */
 	      if (__builtin_expect (wpsize == 0
 				    && (flags & READ_POINTER)
-				    && (width < 0 || width >= 0)
+				    && (width < 0 || width >= 5)
 				    && c == '('
 				    && TOLOWER (inchar ()) == L_('n')
 				    && TOLOWER (inchar ()) == L_('i')
author	Ondřej Bílka <neleai@seznam.cz>	2013-11-18 12:41:00 +0100
committer	Ondřej Bílka <neleai@seznam.cz>	2013-11-18 12:42:23 +0100
commit	728dab0e13529ba8778e6ef07e2cc80eddf028b5 (patch)
tree	390911e7cb25cd8ed168393f1e4d194596fa44c6 /stdio-common
parent	dd8082389e5448c3e716de8431817b30565a48d3 (diff)