stdio: fix buffer over-read in scanf

Over-read was possible if width was greater than remaining input length when using %c format. JIRA: RTOS-868
phoenix-rtos · Aug 2, 2024 · 216557c · 216557c
1 parent 54ea61e
commit 216557c
Showing 1 changed file with 15 additions and 25 deletions.
diff --git a/stdio/scanf.c b/stdio/scanf.c
@@ -328,36 +328,26 @@ static int scanf_parse(char *ccltab, const char *inp, int *inr, char const *fmt0
 		 */
 		switch (c) {
 			case CT_CHAR:
-				if (width == 0)
+				if (width == 0) {
 					width = 1;
-				if (flags & SUPPRESS) {
-					size_t sum = 0;
-					for (;;) {
-						n = *inr;
-						if (n < (int)width) {
-							sum += n;
-							width -= n;
-							inp += n;
-							if (sum == 0)
-								return (nconversions != 0 ? nassigned : -1);
-							break;
-						}
-						else {
-							sum += width;
-							*inr -= width;
-							inp += width;
-							break;
-						}
-					}
-					nread += sum;
 				}
-				else {
+
+				if (*inr <= 0) {
+					return (nconversions != 0 ? nassigned : -1);
+				}
+
+				if (width > *inr) {
+					width = *inr;
+				}
+
+				if ((flags & SUPPRESS) == 0) {
 					memcpy(va_arg(ap, char *), inp, width);
-					*inr -= width;
-					inp += width;
-					nread += width;
 					nassigned++;
 				}
+
+				*inr -= width;
+				inp += width;
+				nread += width;
 				nconversions++;
 				break;