Buffer overrun in vfwscanf
Corinna Vinschen
vinschen@redhat.com
Sat Mar 26 11:44:00 GMT 2016
On Mar 25 14:29, Douglas Katzman wrote:
> Hi,
>
> There's an access before the beginning of an array at line 351 of
> vfwscanf.c if the machine's wchar_t type is 4 bytes. gcc seems not to
> care about this, but clang finds it.
>
> sizeof (fp->_ubuf) = 3, and it computes &fp->_ubuf[3 - 4] and then
> assigns through that pointer, stomping on 1 byte of the preceding _ur
> field.
> In general it looks like wide char support only works for 2 byte chars.
>
> Also, entirely separate issue:
> The last 2 parameters in the "Traditional C" argument list for
> _sungetc_r and _sungetwc_r and reversed and wrongly named.
> _sungetc_r has (data, fp, ch) but should be (data, c, fp)
> _sungetwc_r has (data, fp, ch) but should be (data, wc, fp)
>
> Doug
Please feel free to send patches against the git repo.
Thanks,
Corinna
--
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://sourceware.org/pipermail/newlib/attachments/20160326/ad07bdcc/attachment.sig>
More information about the Newlib
mailing list