Date: Thu, 14 Mar 2019 19:19:19 +0100 From: Szabolcs Nagy <nsz@...t70.net> To: musl@...ts.openwall.com Subject: Re: segfault on sscanf * Markus Wichmann <nullplan@....net> [2019-03-14 17:53:35 +0100]: > The input is just "0". So inside this if-clause, shgetc() will return > EOF and set the FILE's shend to 0. The shunget() therefore does nothing. > Then we continue on to decfloat(). decfloat() will call shget() at least > once. Unfortunately, this is shget()s definition: > > #define shgetc(f) (((f)->rpos != (f)->shend) ? *(f)->rpos++ : __shgetc(f)) > > Since f->shend == 0, but f->rpos == "0"+1, this will start dereferencing > uncharted territory. But it will probably not crash immediately. That's > what the %c parser is for. For %c it will keep parsing forever, > eventually reaching unmapped memory and segfaulting. > > Bonus: Since now f->rpos > f->rend, __shlim() does nothing to prevent > this issue. > > Maybe the EOF status should be sticky. Like this? (Line break because > e-mail). > > #define shgetc(f) (!(f)->shend ? EOF : \ > (f)->rpos != (f)->shend ? *(f)->rpos++ : __shgetc(f)) i think __shgetc should ensure f->rpos == f->shend on EOF
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.