From d70f0c7c0c547e06ff141197c54ae8e4e56d048b Mon Sep 17 00:00:00 2001 From: Rocket Ma Date: Fri, 17 Apr 2026 23:48:41 -0700 Subject: [PATCH] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008] * stdio-common/vfscanf-internal.c: When enlarging allocated buffer with format %mc or %mC, glibc allocates one byte less, leading to user-controlled one byte overflow. This commit fixes BZ #34008, or CVE-2026-5450. Reviewed-by: Carlos O'Donell Signed-off-by: Rocket Ma Reviewed-by: H.J. Lu --- stdio-common/Makefile | 2 ++ stdio-common/tst-vfscanf-bz34008.c | 48 ++++++++++++++++++++++++++++++ stdio-common/vfscanf-internal.c | 7 ++--- 3 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 stdio-common/tst-vfscanf-bz34008.c Index: glibc-2.31/stdio-common/Makefile =================================================================== --- glibc-2.31.orig/stdio-common/Makefile +++ glibc-2.31/stdio-common/Makefile @@ -66,7 +66,7 @@ tests := tstscanf test_rdwr test-popen t tst-scanf-round \ tst-renameat2 tst-bz11319 tst-bz11319-fortify2 \ scanf14a scanf16a \ - + tst-vfscanf-bz34008 test-srcs = tst-unbputc tst-printf tst-printfsz-islongdouble @@ -100,6 +100,7 @@ endif tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace tst-vfprintf-width-prec-ENV = \ MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace +tst-vfscanf-bz34008-ENV = MALLOC_CHECK_=3 $(objpfx)tst-unbputc.out: tst-unbputc.sh $(objpfx)tst-unbputc $(SHELL) $< $(common-objpfx) '$(test-program-prefix)' > $@; \ Index: glibc-2.31/stdio-common/tst-vfscanf-bz34008.c =================================================================== --- /dev/null +++ glibc-2.31/stdio-common/tst-vfscanf-bz34008.c @@ -0,0 +1,48 @@ +/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008) + Copyright (C) 2026 The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include "malloc/mcheck.h" +#include +#include +#include +#include +#include +#include +#include + +#define WIDTH 0x410 +#define SCANFSTR "%1040mc" +static int +do_test (void) +{ + mcheck_pedantic (NULL); + char *input = malloc (WIDTH + 1); + TEST_VERIFY (input != NULL); + memset (input, 'A', WIDTH); + input[WIDTH] = '\0'; + + char *buf = NULL; + TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1); + TEST_VERIFY (buf != NULL); + + free (buf); + free (input); + return 0; +} + +#include Index: glibc-2.31/stdio-common/vfscanf-internal.c =================================================================== --- glibc-2.31.orig/stdio-common/vfscanf-internal.c +++ glibc-2.31/stdio-common/vfscanf-internal.c @@ -804,8 +804,7 @@ __vfscanf_internal (FILE *s, const char { /* Enlarge the buffer. */ size_t newsize - = strsize - + (strsize >= width ? width - 1 : strsize); + = strsize + (strsize >= width ? width : strsize); str = (char *) realloc (*strptr, newsize); if (str == NULL) @@ -876,7 +875,7 @@ __vfscanf_internal (FILE *s, const char && wstr == (wchar_t *) *strptr + strsize) { size_t newsize - = strsize + (strsize > width ? width - 1 : strsize); + = strsize + (strsize >= width ? width : strsize); /* Enlarge the buffer. */ wstr = (wchar_t *) realloc (*strptr, newsize * sizeof (wchar_t)); @@ -931,7 +930,7 @@ __vfscanf_internal (FILE *s, const char && wstr == (wchar_t *) *strptr + strsize) { size_t newsize - = strsize + (strsize > width ? width - 1 : strsize); + = strsize + (strsize >= width ? width : strsize); /* Enlarge the buffer. */ wstr = (wchar_t *) realloc (*strptr, newsize * sizeof (wchar_t));