musl - Re: segfault on sscanf

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Thu, 14 Mar 2019 19:19:19 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: segfault on sscanf

* Markus Wichmann <nullplan@....net> [2019-03-14 17:53:35 +0100]:
> The input is just "0". So inside this if-clause, shgetc() will return
> EOF and set the FILE's shend to 0. The shunget() therefore does nothing.
> Then we continue on to decfloat(). decfloat() will call shget() at least
> once. Unfortunately, this is shget()s definition:
> 
> #define shgetc(f) (((f)->rpos != (f)->shend) ? *(f)->rpos++ : __shgetc(f))
> 
> Since f->shend == 0, but f->rpos == "0"+1, this will start dereferencing
> uncharted territory. But it will probably not crash immediately. That's
> what the %c parser is for. For %c it will keep parsing forever,
> eventually reaching unmapped memory and segfaulting.
> 
> Bonus: Since now f->rpos > f->rend, __shlim() does nothing to prevent
> this issue.
> 
> Maybe the EOF status should be sticky. Like this? (Line break because
> e-mail).
> 
> #define shgetc(f) (!(f)->shend ? EOF : \
>     (f)->rpos != (f)->shend ?  *(f)->rpos++ : __shgetc(f))

i think __shgetc should ensure f->rpos == f->shend on EOF

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.