From 17e3da0570e1b77da92e90f3e513519bc7f401b9 Mon Sep 17 00:00:00 2001
From: Rocket Ma <marocketbd@gmail.com>
Date: Fri, 17 Apr 2026 23:48:41 -0700
Subject: [PATCH] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]

* stdio-common/vfscanf-internal.c: When enlarging allocated buffer with
format %mc or %mC, glibc allocates one byte less, leading to
user-controlled one byte overflow. This commit fixes BZ #34008, or
CVE-2026-5450.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Signed-off-by: Rocket Ma <marocketbd@gmail.com>
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
---
 stdio-common/vfscanf.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index 0e204e7b32..3388b998ff 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -777,8 +777,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 			{
 			  /* Enlarge the buffer.  */
 			  size_t newsize
-			    = strsize
-			      + (strsize >= width ? width - 1 : strsize);
+			    = strsize + (strsize >= width ? width : strsize);
 
 			  str = (char *) realloc (*strptr, newsize);
 			  if (str == NULL)
@@ -849,7 +848,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 		      && wstr == (wchar_t *) *strptr + strsize)
 		    {
 		      size_t newsize
-			= strsize + (strsize > width ? width - 1 : strsize);
+			= strsize + (strsize >= width ? width : strsize);
 		      /* Enlarge the buffer.  */
 		      wstr = (wchar_t *) realloc (*strptr,
 						  newsize * sizeof (wchar_t));
@@ -904,7 +903,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 		    && wstr == (wchar_t *) *strptr + strsize)
 		  {
 		    size_t newsize
-		      = strsize + (strsize > width ? width - 1 : strsize);
+		      = strsize + (strsize >= width ? width : strsize);
 		    /* Enlarge the buffer.  */
 		    wstr = (wchar_t *) realloc (*strptr,
 						newsize * sizeof (wchar_t));
-- 
2.54.0