Bug 28932 - scanf "%n" incorrectly requires int pointer, instead of size_t pointer
Summary: scanf "%n" incorrectly requires int pointer, instead of size_t pointer
Status: RESOLVED NOTABUG
Alias: None
Product: glibc
Classification: Unclassified
Component: stdio (show other bugs)
Version: unspecified
: P2 minor
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-01 05:01 UTC by John M Kenny
Modified: 2022-03-01 09:06 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John M Kenny 2022-03-01 05:01:38 UTC 
The scanf function's conversion specifier "%n" requires the next pointer to be a pointer to an int. That int gets "the  number of characters consumed thus far from the input". However, an int may not be large enough to read the number of chars read.

Previous programmers have identified this issue and resolved it by using a size_t. As evidence, the strlen(3) function returns a size_t and not an int.

The fix: make the require pointer for the "%n" conversion specifier a size_t pointer instead of an int.
Comment 1 Andreas Schwab 2022-03-01 09:06:25 UTC 
If you want to store a size_t, use %zn.