Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2220004/?format=api
{ "id": 2220004, "url": "http://patchwork.ozlabs.org/api/patches/2220004/?format=api", "web_url": "http://patchwork.ozlabs.org/project/glibc/patch/20260405181821.475180-3-marocketbd@gmail.com/", "project": { "id": 41, "url": "http://patchwork.ozlabs.org/api/projects/41/?format=api", "name": "GNU C Library", "link_name": "glibc", "list_id": "libc-alpha.sourceware.org", "list_email": "libc-alpha@sourceware.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260405181821.475180-3-marocketbd@gmail.com>", "list_archive_url": null, "date": "2026-04-05T18:18:21", "name": "[v4,2/2] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "045d37a6a25b8e5c0f27d0cbba117f75888f7a82", "submitter": { "id": 92898, "url": "http://patchwork.ozlabs.org/api/people/92898/?format=api", "name": "Rocket Ma", "email": "marocketbd@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/glibc/patch/20260405181821.475180-3-marocketbd@gmail.com/mbox/", "series": [ { "id": 498801, "url": "http://patchwork.ozlabs.org/api/series/498801/?format=api", "web_url": "http://patchwork.ozlabs.org/project/glibc/list/?series=498801", "date": "2026-04-05T18:18:19", "name": "stdio-common: Fix heap overflow in scanf %mc pattern [BZ #34008]", "version": 4, "mbox": "http://patchwork.ozlabs.org/series/498801/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2220004/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2220004/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "libc-alpha@sourceware.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "libc-alpha@sourceware.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=ansEIITu;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=38.145.34.32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)", "sourceware.org;\n\tdkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=ansEIITu", "sourceware.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com", "sourceware.org; spf=pass smtp.mailfrom=gmail.com", "server2.sourceware.org;\n arc=none smtp.remote-ip=2607:f8b0:4864:20::1235" ], "Received": [ "from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fpgjl2vfTz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 06 Apr 2026 04:20:11 +1000 (AEST)", "from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 665024BA2E28\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 5 Apr 2026 18:20:09 +0000 (GMT)", "from mail-dl1-x1235.google.com (mail-dl1-x1235.google.com\n [IPv6:2607:f8b0:4864:20::1235])\n by sourceware.org (Postfix) with ESMTPS id C625E4BA2E28\n for <libc-alpha@sourceware.org>; Sun, 5 Apr 2026 18:18:50 +0000 (GMT)", "by mail-dl1-x1235.google.com with SMTP id\n a92af1059eb24-126ea4e9694so7241336c88.1\n for <libc-alpha@sourceware.org>; Sun, 05 Apr 2026 11:18:50 -0700 (PDT)", "from localhost ([23.94.240.252]) by smtp.gmail.com with UTF8SMTPSA\n id\n 5a478bee46e88-2cb7ec57f9dsm8748605eec.11.2026.04.05.11.18.47\n for <libc-alpha@sourceware.org>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sun, 05 Apr 2026 11:18:47 -0700 (PDT)" ], "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 sourceware.org 665024BA2E28", "OpenDKIM Filter v2.11.0 sourceware.org C625E4BA2E28" ], "DMARC-Filter": "OpenDMARC Filter v1.4.2 sourceware.org C625E4BA2E28", "ARC-Filter": "OpenARC Filter v1.0.0 sourceware.org C625E4BA2E28", "ARC-Seal": "i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1775413131; cv=none;\n b=iCJxTBE9VWzMD5O459N/xgPKAvVMJEJ9q67/z5fAKAkhkOOC5pHkKSCXp8m+BdzTefcCkAc6AZ6+Zh352hejkVcno+mJNEtWIkIoXE0d/amYzuZbFItGI4hSDRdIyYoiqPwAv44EuL9fhyIeiL+C07VUTKUKd459pe/GUlz+4jA=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1775413131; c=relaxed/simple;\n bh=UHhYNrw2hM5lF4xWrsWeUnjlTl+g7E/YTsOJxXzzjf0=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=ppGOcuuVBuq1iZW9KfeB1nwgHAMSkQqEPoHT5HPSXOxQev1+K3eo+EDr0clKOqNEO2/6rvG9FTv8LQa0GZBnPcli+xS2+OvO03uN1xpkpaqW3hKqns39we1ZzzTChvbeCPK6SP2vczeHY0tu4PxgKPnragRapejXaXhDCeFc7eA=", "ARC-Authentication-Results": "i=1; server2.sourceware.org", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775413129; x=1776017929; darn=sourceware.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:from:to:cc:subject:date:message-id\n :reply-to; bh=5yHx8e+06vpPOinRWAo0pAGN7WVNjEgVLxVfB+/kHPc=;\n b=ansEIITuyLIk075Mhc0QE6bWdaVa5iBsYz7YukRppyEBubt3B1EEadZZIlY2be5gtV\n OYnvr3zt8JGcYBxz7HQVLZeru47bapbDqQbduuc2VMcADLSGsSfwQpJTLXG7ZDqWNCeF\n 6m9/2irZQnqSdN2T1nunMAbYBh1JsWqj6yDKmFnJhGEGZRYzRGEcktdyRpoFZr1x3zDk\n kbdXg+LRsI8zuJOB7SllF2jS99yocK1amlpu0bPFDarNCqe4Vddo5yt257gARDxb9QDj\n CodxKkIOvpnTMIxI7My61DwFBAuUsMwxGBJKsR9AhWA4aacQA/GhczkRAnjveb8TsvS5\n se6w==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775413129; x=1776017929;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=5yHx8e+06vpPOinRWAo0pAGN7WVNjEgVLxVfB+/kHPc=;\n b=CKguNwsmCcPS2kd37zAVh7rzskPN1HYvb/e+5zureTEX/L0BKtm7nlVVxCLhwAyLag\n /Y1cpSg7AJYXWOa7CU/o/ow/Xmnr3w2uzc7Dd5IVFzOFrhFAuXrkcicKkYlTjlzmPlg2\n QZbx0q6ZhqVuaeb5tL0swNzWI29JPkE6g8kutBrhuxS3uCKjelOvMSqVFNsZodcOPXRG\n r6Erne9hYe319KcZZyzKbl8rmAdu/mhqGeDye+XeypaOp9tpClKCO+uze+sBtmcqpemK\n snqtqjOYE5ITxR06vGBGBU+/bmCCZ+ypIhBVN5VG8AuWXBrzGiVpnq32nBQDrBiawhEl\n sH8A==", "X-Gm-Message-State": "AOJu0Yyj6xRdiVrf+K2OJyP6FQq/7bFL/otrxCezBTKzHKiBo37imJFZ\n aTG3CS2npviKdshHADOsleJgEn1ivnO0o74QFpEUmHzvawEsW6BmtnMgUdJtow1q", "X-Gm-Gg": "AeBDievmQ8f9vWCfQckKgI3vQYrKnkJo8Ou5JQ0f+pXZUDt6tdo0L4NKdipVCWc3kZd\n sFG2FRY0pcnNNSqRF0EYDo3JRtu1faC6GoIhkOCYqO93AnaMdjZTvDB1ge+/IFyxqob80CBopYB\n bJuVts6t+QjZNz8uzzYPn8NAzrLUGbiIGkA3yj7/Ikog8x6IZuvkX0RtrRLGUSK71UGlrTqkEGU\n FHLL5X3xjkKCuVqNEgAYNROXaxL2fHrNN3iLjIzwqzLUAQBzjJt6Cco9eU4E8QpmZHyyr6u9Toa\n Yn/uPHFblY3m7nKFRsf+V+Vd9HCMQyG95vkBDA5d7zJTl8WkzukFsj/tygfCi//5NpKL8xooQzv\n 78ZmmvzGs+Ks6UG+0LVdxDeE5aLclyePEKxLgiD0+EkQEIAa4v/rZ2GY0rbCe8GPNGAUnJYcwrc\n HQxDRtCW4oN8n89FKeH8Nr4Z3+z8O3urF8WzgU8qffwmtZ5K0yfq2IpotnvXYjQEvY+W7fCzoiN\n 1mpaZYH", "X-Received": "by 2002:a05:7022:2221:b0:127:33e0:ea33 with SMTP id\n a92af1059eb24-12bfb74c9bcmr5068263c88.22.1775413129046;\n Sun, 05 Apr 2026 11:18:49 -0700 (PDT)", "From": "Rocket Ma <marocketbd@gmail.com>", "To": "libc-alpha@sourceware.org", "Subject": "[PATCH v4 2/2] stdio-common: Fix buffer overflow in scanf %mc [BZ\n #34008]", "Date": "Sun, 5 Apr 2026 11:18:21 -0700", "Message-ID": "<20260405181821.475180-3-marocketbd@gmail.com>", "X-Mailer": "git-send-email 2.47.3", "In-Reply-To": "<20260405181821.475180-1-marocketbd@gmail.com>", "References": "<20260405181821.475180-1-marocketbd@gmail.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-BeenThere": "libc-alpha@sourceware.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Libc-alpha mailing list <libc-alpha.sourceware.org>", "List-Unsubscribe": "<https://sourceware.org/mailman/options/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>", "List-Archive": "<https://sourceware.org/pipermail/libc-alpha/>", "List-Post": "<mailto:libc-alpha@sourceware.org>", "List-Help": "<mailto:libc-alpha-request@sourceware.org?subject=help>", "List-Subscribe": "<https://sourceware.org/mailman/listinfo/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=subscribe>", "Errors-To": "libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org" }, "content": "* stdio-common/vfscanf-internal.c: When enlarging allocated buffer with\nformat %mc or %mC, glibc allocates one byte less, leading to\nuser-controlled one byte overflow. This commit fixes BZ #34008, or\nCVE-2026-5450. Unify newsize calculation of allocated buffer.\n\nSigned-off-by: Rocket Ma <marocketbd@gmail.com>\n---\n stdio-common/vfscanf-internal.c | 74 ++++++++++++++++++++-------------\n 1 file changed, 46 insertions(+), 28 deletions(-)", "diff": "diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c\nindex 59fc8208aa..6bf2a55876 100644\n--- a/stdio-common/vfscanf-internal.c\n+++ b/stdio-common/vfscanf-internal.c\n@@ -265,6 +265,19 @@ char_buffer_add (struct char_buffer *buffer, CHAR_T ch)\n *buffer->current++ = ch;\n }\n \n+/* Calculate the result size of expanded char array in %ms, %mS,\n+ %m[, %lm[, %mc or %mC. */\n+static __always_inline size_t\n+grow_to_fit (size_t oldsize, int need, int extra)\n+{\n+ /* extra = 0 if %m[cC], %m[cC] always have positive width */\n+ if ((extra && need < 0) || oldsize < need)\n+ return oldsize * 2;\n+ /* oldsize >= need:\n+ grow requested capacity and `extra' byte for `\\0' */\n+ return oldsize + need + extra;\n+}\n+\n /* Read formatted input from S according to the format string\n FORMAT, using the argument list in ARG.\n Return the number of assignments made, or -1 for an input error. */\n@@ -804,7 +817,8 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t && *strptr + strsize - str <= MB_LEN_MAX)\n \t\t {\n \t\t /* We have to enlarge the buffer if the `m' flag\n-\t\t\t was given. */\n+\t\t\t was given. And we may not expand str by width\n+\t\t\t as the wcrtomb may return various bytes */\n \t\t size_t strleng = str - *strptr;\n \t\t char *newstr;\n \n@@ -854,9 +868,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t && (char *) str == *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t size_t newsize\n-\t\t\t = strsize\n-\t\t\t + (strsize >= width ? width - 1 : strsize);\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 0);\n \n \t\t\t str = (char *) realloc (*strptr, newsize);\n \t\t\t if (str == NULL)\n@@ -928,8 +940,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t if ((flags & MALLOC)\n \t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n-\t\t size_t newsize\n-\t\t\t= strsize + (strsize > width ? width - 1 : strsize);\n+\t\t size_t newsize = grow_to_fit (strsize, width, 0);\n \t\t /* Enlarge the buffer. */\n \t\t wstr = (wchar_t *) realloc (*strptr,\n \t\t\t\t\t\t newsize * sizeof (wchar_t));\n@@ -983,8 +994,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\tif (!(flags & SUPPRESS) && (flags & MALLOC)\n \t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n-\t\t size_t newsize\n-\t\t = strsize + (strsize > width ? width - 1 : strsize);\n+\t\t size_t newsize = grow_to_fit (strsize, width, 0);\n \t\t /* Enlarge the buffer. */\n \t\t wstr = (wchar_t *) realloc (*strptr,\n \t\t\t\t\t\tnewsize * sizeof (wchar_t));\n@@ -1099,7 +1109,8 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t&& *strptr + strsize - str <= MB_LEN_MAX)\n \t\t {\n \t\t\t/* We have to enlarge the buffer if the `a' or `m'\n-\t\t\t flag was given. */\n+\t\t\t flag was given. And we may not expand str by\n+\t\t\t width as the wcrtomb may return various bytes */\n \t\t\tsize_t strleng = str - *strptr;\n \t\t\tchar *newstr;\n \n@@ -1157,7 +1168,8 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t && (char *) str == *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t str = (char *) realloc (*strptr, 2 * strsize);\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n+\t\t\t str = (char *) realloc (*strptr, newsize);\n \t\t\t if (str == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -1189,7 +1201,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t {\n \t\t\t *strptr = (char *) str;\n \t\t\t str += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t\t}\n \t\t }\n@@ -1287,9 +1299,10 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t&& wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n \t\t\t/* Enlarge the buffer. */\n-\t\t\twstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize)\n-\t\t\t\t\t\t * sizeof (wchar_t));\n+\t\t\tsize_t newsize = grow_to_fit (strsize, width, 1);\n+\n+\t\t\twstr = (wchar_t *) realloc (\n+\t\t\t *strptr, newsize * sizeof (wchar_t));\n \t\t\tif (wstr == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -1323,7 +1336,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t {\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t }\n \t\t }\n@@ -1363,9 +1376,10 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n \t\t /* Enlarge the buffer. */\n+\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n+\n \t\t wstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize\n-\t\t\t\t\t\t * sizeof (wchar_t)));\n+\t\t\t\t\t\t newsize * sizeof (wchar_t));\n \t\t if (wstr == NULL)\n \t\t\t{\n \t\t\t /* Can't allocate that much. Last-ditch effort. */\n@@ -1398,7 +1412,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t{\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t}\n \t\t }\n \t\t}\n@@ -2755,9 +2769,10 @@ digits_extended_fail:\n \t\t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t wstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize)\n-\t\t\t\t\t\t * sizeof (wchar_t));\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n+\n+\t\t\t wstr = (wchar_t *) realloc (\n+\t\t\t *strptr, newsize * sizeof (wchar_t));\n \t\t\t if (wstr == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -2791,7 +2806,7 @@ digits_extended_fail:\n \t\t\t {\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t\t}\n \t\t }\n@@ -2840,9 +2855,10 @@ digits_extended_fail:\n \t\t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t wstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize\n-\t\t\t\t\t\t * sizeof (wchar_t)));\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n+\n+\t\t\t wstr = (wchar_t *) realloc (\n+\t\t\t *strptr, newsize * sizeof (wchar_t));\n \t\t\t if (wstr == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -2876,7 +2892,7 @@ digits_extended_fail:\n \t\t\t {\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t\t}\n \t\t }\n@@ -2984,7 +3000,9 @@ digits_extended_fail:\n \t\t if ((flags & MALLOC)\n \t\t\t && *strptr + strsize - str <= MB_LEN_MAX)\n \t\t\t{\n-\t\t\t /* Enlarge the buffer. */\n+\t\t\t /* Enlarge the buffer. And we may not\n+\t\t\t expand str by width as the wcrtomb may\n+\t\t\t return various bytes */\n \t\t\t size_t strleng = str - *strptr;\n \t\t\t char *newstr;\n \n@@ -3052,7 +3070,7 @@ digits_extended_fail:\n \t\t\t && (char *) str == *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t size_t newsize = 2 * strsize;\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n \n \t\t\tallocagain:\n \t\t\t str = (char *) realloc (*strptr, newsize);\n", "prefixes": [ "v4", "2/2" ] }