Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2224752,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2224752/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/glibc/patch/20260418064841.3299863-1-marocketbd@gmail.com/",
    "project": {
        "id": 41,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/41/?format=api",
        "name": "GNU C Library",
        "link_name": "glibc",
        "list_id": "libc-alpha.sourceware.org",
        "list_email": "libc-alpha@sourceware.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<20260418064841.3299863-1-marocketbd@gmail.com>",
    "date": "2026-04-18T06:48:41",
    "name": "[v6] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "80275ff39cb2ffad270d701e52c28648e369a37b",
    "submitter": {
        "id": 92898,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/92898/?format=api",
        "name": "Rocket Ma",
        "email": "marocketbd@gmail.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/glibc/patch/20260418064841.3299863-1-marocketbd@gmail.com/mbox/",
    "series": [
        {
            "id": 500423,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/500423/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/glibc/list/?series=500423",
            "date": "2026-04-18T06:48:41",
            "name": "[v6] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]",
            "version": 6,
            "mbox": "http://patchwork.ozlabs.org/series/500423/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2224752/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2224752/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "<libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "libc-alpha@sourceware.org"
        ],
        "Delivered-To": [
            "patchwork-incoming@legolas.ozlabs.org",
            "libc-alpha@sourceware.org"
        ],
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=nx8ZZcX2;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)",
            "sourceware.org;\n\tdkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=nx8ZZcX2",
            "sourceware.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com",
            "sourceware.org; spf=pass smtp.mailfrom=gmail.com",
            "server2.sourceware.org;\n arc=none smtp.remote-ip=2607:f8b0:4864:20::132c"
        ],
        "Received": [
            "from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fyMmn64kgz1yGt\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 16:49:24 +1000 (AEST)",
            "from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 817F94AA51FD\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 06:49:22 +0000 (GMT)",
            "from mail-dy1-x132c.google.com (mail-dy1-x132c.google.com\n [IPv6:2607:f8b0:4864:20::132c])\n by sourceware.org (Postfix) with ESMTPS id 3EA654AA51FD\n for <libc-alpha@sourceware.org>; Sat, 18 Apr 2026 06:49:01 +0000 (GMT)",
            "by mail-dy1-x132c.google.com with SMTP id\n 5a478bee46e88-2d832f2f44cso1598703eec.0\n for <libc-alpha@sourceware.org>; Fri, 17 Apr 2026 23:49:01 -0700 (PDT)",
            "from localhost ([23.94.240.252]) by smtp.gmail.com with UTF8SMTPSA\n id\n 5a478bee46e88-2e53d9b056fsm7285756eec.29.2026.04.17.23.48.58\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 17 Apr 2026 23:48:59 -0700 (PDT)"
        ],
        "DKIM-Filter": [
            "OpenDKIM Filter v2.11.0 sourceware.org 817F94AA51FD",
            "OpenDKIM Filter v2.11.0 sourceware.org 3EA654AA51FD"
        ],
        "DMARC-Filter": "OpenDMARC Filter v1.4.2 sourceware.org 3EA654AA51FD",
        "ARC-Filter": "OpenARC Filter v1.0.0 sourceware.org 3EA654AA51FD",
        "ARC-Seal": "i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1776494941; cv=none;\n b=NxI0nfsQ/N2C9Ng3RTQzfI3m90ynqvuinhGni2jqAioZ1wU2VFQbmzYjvCCu3U5d7TnXLXGV3viWHh8CCy5b2bm9HAxgbSDF9XUBWPGVJ6TlcmTcStP9bMipCJGr6WmTGnCyWe391xmeFUniV/dVrTsW2xI5jGOouuC0YtVmJ2U=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1776494941; c=relaxed/simple;\n bh=U75kx1SiA/S9iwROxXQrVYdsJAOwIqAhRkke0NQ7FYY=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=Kxp3yJv2JLG+tkBrHdPi5bs0rFjbYglZfTB9XqmGz6H2woNpbWVkvIoWnhyXnnxEwVa1FaNnOwshTjJkJd8qslL3ypkJYUbxyqzmaybm6dKdly2NmognQH2iQwWfqZbjSVpojPrh6rweG72yJxL+A1uLHWcVfCInSI52IJk9TCw=",
        "ARC-Authentication-Results": "i=1; server2.sourceware.org",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776494940; x=1777099740; darn=sourceware.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=9SPmJ0h2yky0JJq/NREk0v+kZTW2kPE22u2X9cKkXHE=;\n b=nx8ZZcX2p6L/DEC5SZi827FhFHeR/yM3jr7lLyiTR6BXK2/XE9euoU7qNVx2/vVsRA\n SDEqknOuF74mgpZu0zJx+bjzgeAJfB4pZ3Xlr7pS1HKpjukqF6V0SXDUpEC+nwN+cJtI\n 6u7O+Bx335K7XRzwrtW3ePIS2Je/FoZPjXzzE+7p6tc1VpKlvX5ZFurQxc2HhKmMzfDx\n XcH3qyrYGJ94tR4lAwMVZlx9jvr0gatGaxGkOjaSD7vFi0x/owIwdq6R9bDZgF51a/Lg\n 0E3mUETs8LwjgVYjOa7HSoc1wtWMNdEgb+jVHGS97oUyWrT2TkSdpdwQdQ/IkEOX685e\n y1oA==",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776494940; x=1777099740;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=9SPmJ0h2yky0JJq/NREk0v+kZTW2kPE22u2X9cKkXHE=;\n b=rEPE0HyahXdcQO28HhaVitS6Cc/+RByx1p7CVJPCIJf7/Y7aakRRsC0T78hHk5jhaf\n 07bj3qk+ez7RVTabdVb74GaHaFk70RVu9nX32uaG/3FKxlu/a5HEvkl4xM2IFl5LuzLa\n o2RKtsDKjWihhqE97tn1hQOPv1slD2XPAerYEuCmuem0XcKNqHr7ZepMqllmAVy8w7mo\n 9zHAFBj1/iHtOreXqEXuqyuYE514EQqaaHmBedlVg3JoTl3j8EM8m4+WRi++CtzVW6n/\n J4G3JIHkvTt8y45Nn6vbnOVE0yBICV8e4stssNo7Lzf3pRVqhcSjAGeXjIbh9RbbtQnu\n KK1Q==",
        "X-Gm-Message-State": "AOJu0YyarpuaiMosvQ4ik9tnaEL1ry6mfYXlaSsItzgL6xZfBDQjD4yD\n h8e00WbAraHuSzkCIwyRZHbr1gIq67kt+ZD9rD/CT0jQD2fojk4EVeK1NqIGq/ka",
        "X-Gm-Gg": "AeBDiev6oszaFSK8A3PeuL3bQS8xdvmS0SGqk+A1gWG6ilTUDDNkJxnsC+jvw/yhX1Q\n QNoov+uz6az9sgkSrYpIrHJHhaLZ0nmRvviF9dAnatfYIq1EuXXGpoYjF087hlx4HoqRbzEkh9L\n ihfmoeBa3vz1fNnPx9mPCpAehlErHiSlAnaq6Q0362268aRgASAkAAFf+KIyhTkwIp9P8ZHm6B8\n nG7pPdZOfsyDo2EtphQwhRMLGdmQYP484uL2lFNpkEnHz3sO0rZ3qgmkgX74idlMOUm6h+pKpEq\n xVK0EoKGhlv8S9dTxDBBrVHKZQLMDRRc0RWN4y+EzUC0h6UO+SSKX894mGR8honqHc6+0mZaWJd\n Y73k7+rqCF7MGGXks74ajYvv6Aib7/pxjQJyep+Gx9foO9VxJ3Rz5G/WAu5VK2QpktokKeLMnfi\n zLPHQiJC27OsBvYdQvXjWGpfscs7kgxJs3pUq4jTUt5042X6xt6lXkCX2RDlqqWiLGucOloOnwc\n yHXh0l3KeUBD9ZevH+qLzk4bdrhntgU2sp9ZoHvVLqRVtBqTiiUStwuVgEaTaYdG3FYN9EP3efl\n bDbiIYksjQ==",
        "X-Received": "by 2002:a05:7301:4083:b0:2d8:b1ce:d3d8 with SMTP id\n 5a478bee46e88-2e4526dd448mr2601122eec.0.1776494940161;\n Fri, 17 Apr 2026 23:49:00 -0700 (PDT)",
        "From": "Rocket Ma <marocketbd@gmail.com>",
        "To": "Carlos O'Donell <carlos@redhat.com>",
        "Cc": "libc-alpha@sourceware.org,\n\tFlorian Weimer <fw@deneb.enyo.de>",
        "Subject": "[PATCH v6] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]",
        "Date": "Fri, 17 Apr 2026 23:48:41 -0700",
        "Message-ID": "<20260418064841.3299863-1-marocketbd@gmail.com>",
        "X-Mailer": "git-send-email 2.47.3",
        "In-Reply-To": "<e48ff256-40b9-4fc4-9898-8bce0e6b4651@redhat.com>",
        "References": "",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "X-BeenThere": "libc-alpha@sourceware.org",
        "X-Mailman-Version": "2.1.30",
        "Precedence": "list",
        "List-Id": "Libc-alpha mailing list <libc-alpha.sourceware.org>",
        "List-Unsubscribe": "<https://sourceware.org/mailman/options/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>",
        "List-Archive": "<https://sourceware.org/pipermail/libc-alpha/>",
        "List-Post": "<mailto:libc-alpha@sourceware.org>",
        "List-Help": "<mailto:libc-alpha-request@sourceware.org?subject=help>",
        "List-Subscribe": "<https://sourceware.org/mailman/listinfo/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=subscribe>",
        "Errors-To": "libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"
    },
    "content": "* stdio-common/vfscanf-internal.c: When enlarging allocated buffer with\nformat %mc or %mC, glibc allocates one byte less, leading to\nuser-controlled one byte overflow. This commit fixes BZ #34008, or\nCVE-2026-5450.\n\nReviewed-by: Carlos O'Donell <carlos@redhat.com>\nSigned-off-by: Rocket Ma <marocketbd@gmail.com>\n---\n stdio-common/Makefile              |  4 +++\n stdio-common/tst-vfscanf-bz34008.c | 48 ++++++++++++++++++++++++++++++\n stdio-common/vfscanf-internal.c    |  7 ++---\n 3 files changed, 55 insertions(+), 4 deletions(-)\n create mode 100644 stdio-common/tst-vfscanf-bz34008.c",
    "diff": "diff --git a/stdio-common/Makefile b/stdio-common/Makefile\nindex 210944837e..0c0085e607 100644\n--- a/stdio-common/Makefile\n+++ b/stdio-common/Makefile\n@@ -349,6 +349,7 @@ tests := \\\n   tst-vfprintf-user-type \\\n   tst-vfprintf-width-i18n \\\n   tst-vfprintf-width-prec-alloc \\\n+  tst-vfscanf-bz34008 \\\n   tst-wc-printf \\\n   tstdiomisc \\\n   tstgetln \\\n@@ -564,6 +565,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \\\n tst-vfprintf-width-prec-ENV = \\\n   MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \\\n   LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so\n+tst-vfscanf-bz34008-ENV = \\\n+  MALLOC_CHECK_=3 \\\n+  LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so\n tst-printf-bz25691-ENV = \\\n   MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \\\n   LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so\ndiff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c\nnew file mode 100644\nindex 0000000000..af746821fb\n--- /dev/null\n+++ b/stdio-common/tst-vfscanf-bz34008.c\n@@ -0,0 +1,48 @@\n+/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008)\n+   Copyright (C) 2026 The GNU Toolchain Authors.\n+   This file is part of the GNU C Library.\n+\n+   The GNU C Library is free software; you can redistribute it and/or\n+   modify it under the terms of the GNU Lesser General Public\n+   License as published by the Free Software Foundation; either\n+   version 2.1 of the License, or (at your option) any later version.\n+\n+   The GNU C Library is distributed in the hope that it will be useful,\n+   but WITHOUT ANY WARRANTY; without even the implied warranty of\n+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n+   Lesser General Public License for more details.\n+\n+   You should have received a copy of the GNU Lesser General Public\n+   License along with the GNU C Library; if not, see\n+   <https://www.gnu.org/licenses/>.  */\n+\n+#include \"malloc/mcheck.h\"\n+#include <stddef.h>\n+#include <stdio.h>\n+#include <string.h>\n+#include <wchar.h>\n+#include <stdlib.h>\n+#include <malloc.h>\n+#include <support/check.h>\n+\n+#define WIDTH 0x410\n+#define SCANFSTR \"%1040mc\"\n+static int\n+do_test (void)\n+{\n+  mcheck_pedantic (NULL);\n+  char *input = malloc (WIDTH + 1);\n+  TEST_VERIFY (input != NULL);\n+  memset (input, 'A', WIDTH);\n+  input[WIDTH] = '\\0';\n+\n+  char *buf = NULL;\n+  TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1);\n+  TEST_VERIFY (buf != NULL);\n+\n+  free (buf);\n+  free (input);\n+  return 0;\n+}\n+\n+#include <support/test-driver.c>\ndiff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c\nindex 59fc8208aa..3d11ac261e 100644\n--- a/stdio-common/vfscanf-internal.c\n+++ b/stdio-common/vfscanf-internal.c\n@@ -855,8 +855,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t{\n \t\t\t  /* Enlarge the buffer.  */\n \t\t\t  size_t newsize\n-\t\t\t    = strsize\n-\t\t\t      + (strsize >= width ? width - 1 : strsize);\n+\t\t\t    = strsize + (strsize >= width ? width : strsize);\n \n \t\t\t  str = (char *) realloc (*strptr, newsize);\n \t\t\t  if (str == NULL)\n@@ -929,7 +928,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t      && wstr == (wchar_t *) *strptr + strsize)\n \t\t    {\n \t\t      size_t newsize\n-\t\t\t= strsize + (strsize > width ? width - 1 : strsize);\n+\t\t\t= strsize + (strsize >= width ? width : strsize);\n \t\t      /* Enlarge the buffer.  */\n \t\t      wstr = (wchar_t *) realloc (*strptr,\n \t\t\t\t\t\t  newsize * sizeof (wchar_t));\n@@ -984,7 +983,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t    && wstr == (wchar_t *) *strptr + strsize)\n \t\t  {\n \t\t    size_t newsize\n-\t\t      = strsize + (strsize > width ? width - 1 : strsize);\n+\t\t      = strsize + (strsize >= width ? width : strsize);\n \t\t    /* Enlarge the buffer.  */\n \t\t    wstr = (wchar_t *) realloc (*strptr,\n \t\t\t\t\t\tnewsize * sizeof (wchar_t));\n",
    "prefixes": [
        "v6"
    ]
}