diff options
author | Will Newton <will.newton@imgtec.com> | 2015-05-08 01:15:19 +0300 |
---|---|---|
committer | Waldemar Brodkorb <wbx@openadk.org> | 2015-06-10 10:17:53 -0500 |
commit | b2d27c71bd13820a4263fa7ebda4c1a4a95b501c (patch) | |
tree | e9907f693fbf5a0884ccac78349290d4069bdec5 /libc/stdio | |
parent | b6c1e98422165a36b19a68daaeee11856033a7f1 (diff) |
_scanf.c: Implement 'm' modifier for 'c' and '[' conversions.
The current code implements the 'm' modifier only for 's'
conversions and would cause a segfault if it was used for 'c'
or '[' conversions. This patch extends the code to cover these
cases too.
The original version could write scanned data outside the passed buffer
because index i used in the '[' conversion handling block was clobbered.
Signed-off-by: Will Newton <will.newton@imgtec.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
Diffstat (limited to 'libc/stdio')
-rw-r--r-- | libc/stdio/_scanf.c | 51 |
1 files changed, 33 insertions, 18 deletions
diff --git a/libc/stdio/_scanf.c b/libc/stdio/_scanf.c index d48fd1267..f2a96700b 100644 --- a/libc/stdio/_scanf.c +++ b/libc/stdio/_scanf.c @@ -1351,7 +1351,20 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) (psfs.conv_num >= CONV_c) #endif /* __UCLIBC_HAS_WCHAR__ */ { + /* We might have to handle the allocation ourselves */ + int len; + unsigned char **ptr; + b = (psfs.store ? ((unsigned char *) psfs.cur_ptr) : buf); + /* With 'm', we actually got a pointer to a pointer */ + ptr = (void *)b; + + if (psfs.flags & FLAG_MALLOC) { + len = 0; + b = NULL; + } else + len = -1; + fail = 1; if (psfs.conv_num == CONV_c) { @@ -1359,32 +1372,28 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) sc.width = 1; } + if (psfs.flags & FLAG_MALLOC) + b = malloc(sc.width); + + i = 0; while (__scan_getc(&sc) >= 0) { zero_conversions = 0; - *b = sc.cc; - b += psfs.store; + b[i] = sc.cc; + i += psfs.store; } __scan_ungetc(&sc); if (sc.width > 0) { /* Failed to read all required. */ goto DONE; } + if (psfs.flags & FLAG_MALLOC) + *ptr = b; psfs.cnt += psfs.store; goto NEXT_FMT; } if (psfs.conv_num == CONV_s) { - /* We might have to handle the allocation ourselves */ - int len; - /* With 'm', we actually got a pointer to a pointer */ - unsigned char **ptr = (void *)b; i = 0; - if (psfs.flags & FLAG_MALLOC) { - len = 0; - b = NULL; - } else - len = -1; - /* Yes, believe it or not, a %s conversion can store nuls. */ while ((__scan_getc(&sc) >= 0) && !isspace(sc.cc)) { zero_conversions = 0; @@ -1399,10 +1408,6 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) fail = 0; } - if (psfs.flags & FLAG_MALLOC) - *ptr = b; - /* The code below takes care of terminating NUL */ - b += i; } else { #ifdef __UCLIBC_HAS_WCHAR__ assert((psfs.conv_num == CONV_LEFTBRACKET) || \ @@ -1453,13 +1458,20 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) #endif /* __UCLIBC_HAS_WCHAR__ */ + i = 0; while (__scan_getc(&sc) >= 0) { zero_conversions = 0; if (!scanset[sc.cc]) { break; } - *b = sc.cc; - b += psfs.store; + if (i == len) { + /* Pick a size that won't trigger a lot of + * mallocs early on ... */ + len += 256; + b = realloc(b, len + 1); + } + b[i] = sc.cc; + i += psfs.store; fail = 0; } } @@ -1469,6 +1481,9 @@ int VFSCANF (FILE *__restrict fp, const Wchar *__restrict format, va_list arg) if (fail) { /* nothing stored! */ goto DONE; } + if (psfs.flags & FLAG_MALLOC) + *ptr = b; + b += i; *b = 0; /* Nul-terminate string. */ psfs.cnt += psfs.store; goto NEXT_FMT; |