From 618fc472ac5f9e6520b9c39218cff15ef616d3cb Mon Sep 17 00:00:00 2001 From: Rocket Ma Date: Fri, 17 Apr 2026 23:48:41 -0700 Subject: [PATCH] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008] * stdio-common/vfscanf-internal.c: When enlarging allocated buffer with format %mc or %mC, glibc allocates one byte less, leading to user-controlled one byte overflow. This commit fixes BZ #34008, or CVE-2026-5450. Reviewed-by: Carlos O'Donell Signed-off-by: Rocket Ma Reviewed-by: H.J. Lu --- stdio-common/Makefile | 4 +++ stdio-common/tst-vfscanf-bz34008.c | 48 ++++++++++++++++++++++++++++++ stdio-common/vfscanf-internal.c | 7 ++--- 3 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 stdio-common/tst-vfscanf-bz34008.c diff --git a/stdio-common/Makefile b/stdio-common/Makefile index 381040570b..baabcc070d 100644 --- a/stdio-common/Makefile +++ b/stdio-common/Makefile @@ -263,6 +263,7 @@ tests := \ tst-vfprintf-width-i18n \ tst-vfprintf-width-prec \ tst-vfprintf-width-prec-alloc \ + tst-vfscanf-bz34008 \ tst-wc-printf \ tstdiomisc \ tstgetln \ @@ -395,6 +396,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \ tst-vfprintf-width-prec-ENV = \ MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so +tst-vfscanf-bz34008-ENV = \ + MALLOC_CHECK_=3 \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so tst-printf-bz25691-ENV = \ MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so diff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c new file mode 100644 index 0000000000..48371c8a3d --- /dev/null +++ b/stdio-common/tst-vfscanf-bz34008.c @@ -0,0 +1,48 @@ +/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008) + Copyright (C) 2026 The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include "malloc/mcheck.h" +#include +#include +#include +#include +#include +#include +#include + +#define WIDTH 0x410 +#define SCANFSTR "%1040mc" +static int +do_test (void) +{ + mcheck_pedantic (NULL); + char *input = malloc (WIDTH + 1); + TEST_VERIFY (input != NULL); + memset (input, 'A', WIDTH); + input[WIDTH] = '\0'; + + char *buf = NULL; + TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1); + TEST_VERIFY (buf != NULL); + + free (buf); + free (input); + return 0; +} + +#include diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c index 9b1197d751..5aff1c4f51 100644 --- a/stdio-common/vfscanf-internal.c +++ b/stdio-common/vfscanf-internal.c @@ -805,8 +805,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, { /* Enlarge the buffer. */ size_t newsize - = strsize - + (strsize >= width ? width - 1 : strsize); + = strsize + (strsize >= width ? width : strsize); str = (char *) realloc (*strptr, newsize); if (str == NULL) @@ -877,7 +876,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, && wstr == (wchar_t *) *strptr + strsize) { size_t newsize - = strsize + (strsize > width ? width - 1 : strsize); + = strsize + (strsize >= width ? width : strsize); /* Enlarge the buffer. */ wstr = (wchar_t *) realloc (*strptr, newsize * sizeof (wchar_t)); @@ -932,7 +931,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, && wstr == (wchar_t *) *strptr + strsize) { size_t newsize - = strsize + (strsize > width ? width - 1 : strsize); + = strsize + (strsize >= width ? width : strsize); /* Enlarge the buffer. */ wstr = (wchar_t *) realloc (*strptr, newsize * sizeof (wchar_t)); -- 2.54.0