This is the mail archive of the
newlib@sourceware.org
mailing list for the newlib project.
Buffer overrun in vfwscanf
- From: Douglas Katzman <dougk at google dot com>
- To: newlib at sourceware dot org
- Date: Fri, 25 Mar 2016 14:29:23 -0400
- Subject: Buffer overrun in vfwscanf
- Authentication-results: sourceware.org; auth=none
Hi,
There's an access before the beginning of an array at line 351 of
vfwscanf.c if the machine's wchar_t type is 4 bytes. gcc seems not to
care about this, but clang finds it.
sizeof (fp->_ubuf) = 3, and it computes &fp->_ubuf[3 - 4] and then
assigns through that pointer, stomping on 1 byte of the preceding _ur
field.
In general it looks like wide char support only works for 2 byte chars.
Also, entirely separate issue:
The last 2 parameters in the "Traditional C" argument list for
_sungetc_r and _sungetwc_r and reversed and wrongly named.
_sungetc_r has (data, fp, ch) but should be (data, c, fp)
_sungetwc_r has (data, fp, ch) but should be (data, wc, fp)
Doug