From owner-freebsd-bugs Fri Sep 18 02:00:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA02861 for freebsd-bugs-outgoing; Fri, 18 Sep 1998 02:00:29 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA02820 for ; Fri, 18 Sep 1998 02:00:21 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id CAA19623; Fri, 18 Sep 1998 02:00:01 -0700 (PDT) Received: from relay.esat.net (relay.esat.net [192.111.39.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA01688 for ; Fri, 18 Sep 1998 01:54:22 -0700 (PDT) (envelope-from nialls@euristix.ie) Received: from (euristix.ie) [193.120.210.2] by relay.esat.net with esmtp id 0zJwIf-0003UZ-00; Fri, 18 Sep 1998 09:53:57 +0100 Received: by gateway.euristix.ie id <19713>; Fri, 18 Sep 1998 09:52:24 +0100 Message-Id: <98Sep18.095224bst.19713@gateway.euristix.ie> Date: Fri, 18 Sep 1998 09:32:12 +0100 From: Niall Smart To: freebsd-gnats-submit@FreeBSD.ORG Subject: bin/7970: Bug in *scanf: %n is sometimes ignored. Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 7970 >Category: bin >Synopsis: Bug in *scanf: %n is sometimes ignored. >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Sep 18 02:00:01 PDT 1998 >Last-Modified: >Originator: Niall Smart >Organization: None >Release: FreeBSD 3.0-CURRENT i386 >Environment: >Description: There is a bug in the implementation of __svfscanf which sometimes causes the %n `conversion' to be ignored. (%n is used to assign the number of characters read from the input stream to its corresponding argument) The following code demonstrates the bug: #include int main() { int i; int n = 12345678; sscanf("24\n", "%li %n", &i, &n); printf("%d %d\n", i, n); return 0; } The output should be "4 2", but it is "4 12345678"; n is not modified. The bug arises when a whitespace is present in the format string and __svfscanf hits EOF while skipping corresponding whitespace in the input stream, in this case it jumps to input_failure and exits before seeing the %n subsequent in the format string. Jumping to input_failure would _usually_ be the correct move since most conversions would require input (which is not available) so quitting then would be an optimisation. The solution is simply to have it continue in its iteration over the format string, this is the approach taken by OpenBSD and I have used their patch. Credit for patch: Chris Torek Tod Miller >How-To-Repeat: See attached code. >Fix: *** src/lib/libc/stdio/vfscanf.c~ Tue Sep 15 17:52:48 1998 --- src/lib/libc/stdio/vfscanf.c Tue Sep 15 17:57:04 1998 *************** *** 137,149 **** if (c == 0) return (nassigned); if (isspace(c)) { ! for (;;) { ! if (fp->_r <= 0 && __srefill(fp)) ! goto input_failure; ! if (!isspace(*fp->_p)) ! break; nread++, fp->_r--, fp->_p++; - } continue; } if (c != '%') --- 137,144 ---- if (c == 0) return (nassigned); if (isspace(c)) { ! while ((fp->_r > 0 || __srefill(fp) == 0) && isspace(*fp->_p)) nread++, fp->_r--, fp->_p++; continue; } if (c != '%') >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message