This is the mail archive of the newlib@sourceware.org mailing list for the newlib project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Buffer overrun in vfwscanf

From: Douglas Katzman <dougk at google dot com>
To: newlib at sourceware dot org
Date: Fri, 25 Mar 2016 14:29:23 -0400
Subject: Buffer overrun in vfwscanf
Authentication-results: sourceware.org; auth=none

Hi,

There's an access before the beginning of an array at line 351 of
vfwscanf.c if the machine's wchar_t type is 4 bytes.  gcc seems not to
care about this, but clang finds it.

sizeof (fp->_ubuf) = 3, and it computes &fp->_ubuf[3 - 4] and then
assigns through that pointer, stomping on 1 byte of the preceding _ur
field.
In general it looks like wide char support only works for 2 byte chars.

Also, entirely separate issue:
The last 2 parameters in the "Traditional C" argument list for
_sungetc_r and _sungetwc_r and reversed and wrongly named.
_sungetc_r has (data, fp, ch) but should be (data, c, fp)
_sungetwc_r has (data, fp, ch) but should be (data, wc, fp)

Doug

Follow-Ups:
- Re: Buffer overrun in vfwscanf
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]