diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2016-10-22 22:43:28 +0300 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2016-10-22 22:43:28 +0300 |
| commit | 941df759a2758760b60e9c6b13b401c151070fb0 (patch) | |
| tree | 128b941669a9668a5f5b856dabb31fc3d272dde0 /newlib/libc/stdio | |
| parent | 94f40db019e23790726ee678d5d5d4c68b77ceb2 (diff) | |
Fix a potential buffer overflow in wscanf family
Fixes Coverity CID 60046
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diffstat (limited to 'newlib/libc/stdio')
| -rw-r--r-- | newlib/libc/stdio/vfwscanf.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/newlib/libc/stdio/vfwscanf.c b/newlib/libc/stdio/vfwscanf.c index a46f8dcde..5b35601be 100644 --- a/newlib/libc/stdio/vfwscanf.c +++ b/newlib/libc/stdio/vfwscanf.c @@ -1173,14 +1173,14 @@ _DEFUN(__SVFWSCANF_R, (rptr, fp, fmt0, ap), char nancount = 0; char infcount = 0; #ifdef hardway - if (width == 0 || width > sizeof (buf) - 1) + if (width == 0 || width > sizeof (buf) / sizeof (*buf) - 1) #else /* size_t is unsigned, hence this optimisation */ - if (width - 1 > sizeof (buf) - 2) + if (width - 1 > sizeof (buf) / sizeof (*buf) - 2) #endif { - width_left = width - (sizeof (buf) - 1); - width = sizeof (buf) - 1; + width_left = width - (sizeof (buf) / sizeof (*buf) - 1); + width = sizeof (buf) / sizeof (*buf) - 1; } flags |= SIGNOK | NDIGITS | DPTOK | EXPOK; zeroes = 0; @@ -1431,8 +1431,10 @@ _DEFUN(__SVFWSCANF_R, (rptr, fp, fmt0, ap), /* If there might not be enough space for the new exponent, truncate some trailing digits to make room. */ - if (exp_start >= buf + sizeof (buf) - MAX_LONG_LEN) - exp_start = buf + sizeof (buf) - MAX_LONG_LEN - 1; + if (exp_start >= buf + sizeof (buf) / sizeof (*buf) + - MAX_LONG_LEN) + exp_start = buf + sizeof (buf) / sizeof (*buf) + - MAX_LONG_LEN - 1; swprintf (exp_start, MAX_LONG_LEN, L"e%ld", new_exp); } |