[uClibc] [PATCH] Uninitialized value used through vsscanf()
Peter Kjellerstedt
peter.kjellerstedt at axis.com
Thu Jul 17 15:19:41 UTC 2003
The attached patch should solve a problem whereby vsscanf()
(and thus sscanf()) failed to initialize bufread in the
FILE struct that is passed to vfscanf() and which is then
later used.
The problem occurred if the end of the buffer being parsed
has already been reached and a %s format specifier is found.
Then it could parse past the end of the buffer, resulting in
incorrect return values from vfscanf() and sometimes causing
SIGSEGV.
The test program below showed the problem.
//Peter
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#define CRAP_SIZE 1
int main(void)
{
int a;
#if 1
char *crap = malloc(CRAP_SIZE);
#else
char crap[CRAP_SIZE]; /* stack allocation may not trig bug */
#endif
memset(crap, 'a', CRAP_SIZE);
crap[CRAP_SIZE - 1] = '\0';
/* yields (should be 1):
* 2
* ##
* when bug triggered */
printf("%d\n", sscanf("1", "%d%s", &a, crap));
printf("crap = #%s#\n", crap);
return EXIT_SUCCESS;
}
<<scanf.patch>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: scanf.patch
Type: application/octet-stream
Size: 646 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/uclibc/attachments/20030717/40d76130/attachment.obj
More information about the uClibc
mailing list