Don't accept exp char without preceding digits in scanf float parsing

2024-11-09 23:00:07 +00:00 · 2013-01-14 17:32:20 +01:00 · 2013-01-14 17:32:20 +01:00 · 6ecec3b616
commit 6ecec3b616
parent 273cdee86d
5 changed files with 61 additions and 12 deletions
--- a/6
+++ b/6
@ -1,5 +1,11 @@
 2013-04-11  Andreas Schwab  <schwab@suse.de>

+	[BZ #13988]
+	* stdio-common/vfscanf.c (_IO_vfwscanf): When parsing a float
+	accept exponent character only when digits were seen.
+	* stdio-common/Makefile (tests): Add bug26.
+	* stdio-common/bug26.c: New file.
+
 	[BZ #14293]
 	* elf/dl-load.c (_dl_init_paths): Mark decomposed RUNPATH as
 	non-freeable.
--- a/12
+++ b/12
@ -9,12 +9,12 @@ Version 2.18

 * The following bugs are resolved with this release:

-  10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 14142,
-  14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812, 14920,
-  14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, 15023,
-  15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, 15283,
-  15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, 15336,
-  15337, 15342, 15346.
+  10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 13988,
+  14142, 14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812,
+  14920, 14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020,
+  15023, 15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234,
+  15283, 15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335,
+  15336, 15337, 15342, 15346.

 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
  #15078).
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
 	 bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
 	 scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
 	 bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \
-	 bug25 tst-printf-round
+	 bug25 tst-printf-round bug26

 test-srcs = tst-unbputc tst-printf

--- a/stdio-common/bug26.c
+++ b/stdio-common/bug26.c
@ -0,0 +1,37 @@
+/* Copyright (C) 2013 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <stdio.h>
+#include <string.h>
+
+int
+main (void)
+{
+  FILE *f;
+  int lost = 0;
+  int c;
+  double d;
+  char s[] = "+.e";
+
+  f = fmemopen (s, strlen (s), "r");
+  /* This should fail to parse a float and leave 'e' in the input.  */
+  lost |= (fscanf (f, "%f", &d) != 0);
+  c = fgetc (f);
+  lost |= c != 'e';
+  puts (lost ? "Test FAILED!" : "Test succeeded.");
+  return lost;
+}
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@ -222,7 +222,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
  /* Errno of last failed inchar call.  */
  int inchar_errno = 0;
  /* Status for reading F-P nums.  */
-  char got_dot, got_e, negative;
+  char got_digit, got_dot, got_e, negative;
  /* If a [...] is a [^...].  */
  CHAR_T not_in;
 #define exp_char not_in
@ -1845,7 +1845,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 	  if (__builtin_expect (c == EOF, 0))
 	    input_error ();

-	  got_dot = got_e = 0;
+	  got_digit = got_dot = got_e = 0;

 	  /* Check for a sign.  */
 	  if (c == L_('-') || c == L_('+'))
@ -1971,13 +1971,19 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 	  while (1)
 	    {
 	      if (ISDIGIT (c))
-		ADDW (c);
+		{
+		  ADDW (c);
+		  got_digit = 1;
+		}
 	      else if (!got_e && (flags & HEXA_FLOAT) && ISXDIGIT (c))
-		ADDW (c);
+		{
+		  ADDW (c);
+		  got_digit = 1;
+		}
 	      else if (got_e && wp[wpsize - 1] == exp_char
 		       && (c == L_('-') || c == L_('+')))
 		ADDW (c);
-	      else if (wpsize > 0 && !got_e
+	      else if (got_digit && !got_e
 		       && (CHAR_T) TOLOWER (c) == exp_char)
 		{
 		  ADDW (exp_char);