stdio: fix buffer over-read in scanf

Over-read was possible if width was greater than remaining input length when using %c format. JIRA: RTOS-868
phoenix-rtos · Nov 7, 2024 · 7b6fa8f · 7b6fa8f
1 parent f7300ec
commit 7b6fa8f
Showing 1 changed file with 13 additions and 25 deletions.
diff --git a/stdio/scanf.c b/stdio/scanf.c
@@ -364,35 +364,23 @@ static int scanf_parse(char *ccltab, const char *inp, int *inr, char const *fmt0
 				if (width == 0) {
 					width = 1;
 				}
-				if ((flags & SUPPRESS) != 0) {
-					size_t sum = 0;
-					for (;;) {
-						n = *inr;
-						if (n < (int)width) {
-							sum += n;
-							width -= n;
-							inp += n;
-							if (sum == 0) {
-								return (nconversions != 0 ? nassigned : -1);
-							}
-							break;
-						}
-						else {
-							sum += width;
-							*inr -= width;
-							inp += width;
-							break;
-						}
-					}
-					nread += sum;
+
+				if (*inr <= 0) {
+					return (nconversions != 0 ? nassigned : -1);
 				}
-				else {
+
+				if (width > *inr) {
+					width = *inr;
+				}
+
+				if ((flags & SUPPRESS) == 0) {
 					memcpy(va_arg(ap, char *), inp, width);
-					*inr -= width;
-					inp += width;
-					nread += width;
 					nassigned++;
 				}
+
+				*inr -= width;
+				inp += width;
+				nread += width;
 				nconversions++;
 				break;