The value of "i" could already have been touched by "while (*fmt != ']')" what would terminate the string at the wrong place (what can be seen with busybox's "netstat -nu" for example). Using either a different var or resetting i fixes the bug. The first option has been choosen as this way the "initialize the vars at the top" approach used in commit e567c399ff86d007d8c4586f0dd5e0ca61e283ca doesn't need to be changed. The order of some assignments have also been changed to restore the same order that was in use before e567c399ff86d007d8c4586f0dd5e0ca61e283ca. (For example *ptr would have been set in "fail" case before the commit but not afterwards).
Signed-off-by: Pirmin Walthert <[email protected]> --- libc/stdio/_scanf.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/libc/stdio/_scanf.c b/libc/stdio/_scanf.c index 9659423..6d8d5ac 100644 --- a/libc/stdio/_scanf.c +++ b/libc/stdio/_scanf.c @@ -1135,7 +1135,7 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) struct scan_cookie sc; psfs_t psfs; - int i; + int i,j; #ifdef __UCLIBC_MJN3_ONLY__ #warning TODO: Fix MAX_DIGITS. We do not do binary, so...! @@ -1360,7 +1360,7 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) /* With 'm', we actually got a pointer to a pointer */ ptr = (void *)b; - i = 0; + j = 0; if (psfs.flags & FLAG_MALLOC) { len = 0; b = NULL; @@ -1379,15 +1379,17 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) while (__scan_getc(&sc) >= 0) { zero_conversions = 0; - b[i] = sc.cc; - i += psfs.store; + b[j] = sc.cc; + j += psfs.store; } + if (psfs.flags & FLAG_MALLOC) + *ptr = b; + b += j; + __scan_ungetc(&sc); if (sc.width > 0) { /* Failed to read all required. */ goto DONE; } - if (psfs.flags & FLAG_MALLOC) - *ptr = b; psfs.cnt += psfs.store; goto NEXT_FMT; } @@ -1397,14 +1399,14 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) /* Yes, believe it or not, a %s conversion can store nuls. */ while ((__scan_getc(&sc) >= 0) && !isspace(sc.cc)) { zero_conversions = 0; - if (i == len) { + if (j == len) { /* Pick a size that won't trigger a lot of * mallocs early on ... */ len += 256; b = realloc(b, len + 1); } - b[i] = sc.cc; - i += psfs.store; + b[j] = sc.cc; + j += psfs.store; fail = 0; } @@ -1463,26 +1465,27 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) if (!scanset[sc.cc]) { break; } - if (i == len) { + if (j == len) { /* Pick a size that won't trigger a lot of * mallocs early on ... */ len += 256; b = realloc(b, len + 1); } - b[i] = sc.cc; - i += psfs.store; + b[j] = sc.cc; + j += psfs.store; fail = 0; } } /* Common tail for processing of %s and %[. */ + if (psfs.flags & FLAG_MALLOC) + *ptr = b; + b += j; + __scan_ungetc(&sc); if (fail) { /* nothing stored! */ goto DONE; } - if (psfs.flags & FLAG_MALLOC) - *ptr = b; - b += i; *b = 0; /* Nul-terminate string. */ psfs.cnt += psfs.store; goto NEXT_FMT; -- 1.7.10.4 _______________________________________________ uClibc mailing list [email protected] http://lists.busybox.net/mailman/listinfo/uclibc
