From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: libc-alpha@sourceware.org
Subject: [PATCH] Fix aliasing violation in __vfscanf_internal [BZ #26690]
Date: Wed, 7 Oct 2020 18:50:49 +0100 [thread overview]
Message-ID: <20201007175049.32564-1-szabolcs.nagy@arm.com> (raw)
Internal stdio code uses both CHAR_T and UCHAR_T strings.
But the internal helper read_int was only written for UCHAR_T.
A CHAR_T object can alias UCHAR_T, but CHAR_T * cannot alias
UCHAR_T *. This means a cast like (UCHAR_T **)&pc is likely
a bug in the code (currently GCC does not warn about this
see PR97321). The fix introduces a read_int_char variant and
removes the problematic casts.
(The mixed use of CHAR_T and UCHAR_T may be a design mistake
in stdio: if everything used char and wchar_t consistently
then aliasing violation would be much less likely, but fixing
that requires more refactoring.)
Fixes bug 26690.
---
stdio-common/vfscanf-internal.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c
index 95b46dcbeb..d832493623 100644
--- a/stdio-common/vfscanf-internal.c
+++ b/stdio-common/vfscanf-internal.c
@@ -135,6 +135,16 @@
#include "printf-parse.h" /* Use read_int. */
+/* Same as read_int, but for CHAR_T * instead of UCHAR_T * string. */
+static int
+read_int_char (const CHAR_T * *pstr)
+{
+ const UCHAR_T *ustr = (const UCHAR_T *) *pstr;
+ int retval = read_int (&ustr);
+ *pstr = (const CHAR_T *) ustr;
+ return retval;
+}
+
#define encode_error() do { \
__set_errno (EILSEQ); \
goto errout; \
@@ -486,7 +496,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
/* Check for a positional parameter specification. */
if (ISDIGIT ((UCHAR_T) *f))
{
- argpos = read_int ((const UCHAR_T **) &f);
+ argpos = read_int_char (&f);
if (*f == L_('$'))
++f;
else
@@ -522,7 +532,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
/* Find the maximum field width. */
width = 0;
if (ISDIGIT ((UCHAR_T) *f))
- width = read_int ((const UCHAR_T **) &f);
+ width = read_int_char (&f);
got_width:
if (width == 0)
width = -1;
--
2.17.1
next reply other threads:[~2020-10-07 17:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-07 17:50 Szabolcs Nagy [this message]
2020-10-07 18:08 ` Florian Weimer
2020-10-07 18:10 ` Adhemerval Zanella
2020-10-07 18:16 ` Florian Weimer
2020-10-08 7:27 ` Szabolcs Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201007175049.32564-1-szabolcs.nagy@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).