Bug in _scanf.c

[Pirmin Walthert]

Hello

It seems like commit e567c399ff86d007d8c4586f0dd5e0ca61e283ca 
<http://git.uclibc.org/uClibc/commit/?h=0.9.33&id=e567c399ff86d007d8c4586f0dd5e0ca61e283ca> 
had introduced a bug into _scanf.c.

I noticed this first when netstat started giving me quite strange 
outputs. The attached patch fixes the problem for me. The most important 
change was to use j instead of i, as i is also used in the "if (*fmt != 
']')" loop starting on line 1436.

The other changes should not change anything I guess, but it makes the 
'm'-modifier case working a bit more like before commit 
e567c399ff86d007d8c4586f0dd5e0ca61e283ca 
<http://git.uclibc.org/uClibc/commit/?h=0.9.33&id=e567c399ff86d007d8c4586f0dd5e0ca61e283ca> 
(for example: *ptr = b would also have been set in "fail" case before 
the mentioned commit. With my patch the order of setting *p, changing j 
and __scan_ungetc is the same one as before)).

Regards,

Pirmin
--- a/libc/stdio/_scanf.c	2013-01-09 14:12:52.000000000 +0100
+++ b/libc/stdio/_scanf.c	2013-03-18 09:30:52.000000000 +0100
@@ -1138,7 +1138,7 @@
 
 	struct scan_cookie sc;
 	psfs_t psfs;
-	int i;
+	int i,j;
 
 #ifdef __UCLIBC_MJN3_ONLY__
 #warning TODO: Fix MAX_DIGITS.  We do not do binary, so...!
@@ -1363,7 +1363,7 @@
 				/* With 'm', we actually got a pointer to a pointer */
 				ptr = (void *)b;
 
-				i = 0;
+				j = 0;
 				if (psfs.flags & FLAG_MALLOC) {
 					len = 0;
 					b = NULL;
@@ -1382,15 +1382,17 @@
 
 					while (__scan_getc(&sc) >= 0) {
 						zero_conversions = 0;
-						b[i] = sc.cc;
-						i += psfs.store;
+						b[j] = sc.cc;
+						j += psfs.store;
 					}
+					if (psfs.flags & FLAG_MALLOC)
+						*ptr = b;
+					b += j;
+
 					__scan_ungetc(&sc);
 					if (sc.width > 0) {	/* Failed to read all required. */
 						goto DONE;
 					}
-					if (psfs.flags & FLAG_MALLOC)
-						*ptr = b;
 					psfs.cnt += psfs.store;
 					goto NEXT_FMT;
 				}
@@ -1400,14 +1402,14 @@
 					/* Yes, believe it or not, a %s conversion can store nuls. */
 					while ((__scan_getc(&sc) >= 0) && !isspace(sc.cc)) {
 						zero_conversions = 0;
-						if (i == len) {
+						if (j == len) {
 							/* Pick a size that won't trigger a lot of
 							 * mallocs early on ... */
 							len += 256;
 							b = realloc(b, len + 1);
 						}
-						b[i] = sc.cc;
-						i += psfs.store;
+						b[j] = sc.cc;
+						j += psfs.store;
 						fail = 0;
 					}
 
@@ -1466,26 +1468,27 @@
 						if (!scanset[sc.cc]) {
 							break;
 						}
-						if (i == len) {
+						if (j == len) {
 							/* Pick a size that won't trigger a lot of
 							 * mallocs early on ... */
 							len += 256;
 							b = realloc(b, len + 1);
 						}
-						b[i] = sc.cc;
-						i += psfs.store;
+						b[j] = sc.cc;
+						j += psfs.store;
 						fail = 0;
 					}
 				}
 				/* Common tail for processing of %s and %[. */
 
+				if (psfs.flags & FLAG_MALLOC)
+					*ptr = b;
+				b += j;
+
 				__scan_ungetc(&sc);
 				if (fail) {	/* nothing stored! */
 					goto DONE;
 				}
-				if (psfs.flags & FLAG_MALLOC)
-					*ptr = b;
-				b += i;
 				*b = 0;		/* Nul-terminate string. */
 				psfs.cnt += psfs.store;
 				goto NEXT_FMT;
_______________________________________________
uClibc mailing list
uClibc@uclibc.org
http://lists.busybox.net/mailman/listinfo/uclibc