[{"id":3673690,"web_url":"http://patchwork.ozlabs.org/comment/3673690/","msgid":"<87bjfwbh05.fsf@mid.deneb.enyo.de>","list_archive_url":null,"date":"2026-04-06T09:00:26","subject":"Re: [PATCH v4 2/2] stdio-common: Fix buffer overflow in scanf %mc\n [BZ #34008]","submitter":{"id":5264,"url":"http://patchwork.ozlabs.org/api/people/5264/","name":"Florian Weimer","email":"fw@deneb.enyo.de"},"content":"* Rocket Ma:\n\n> * stdio-common/vfscanf-internal.c: When enlarging allocated buffer with\n> format %mc or %mC, glibc allocates one byte less, leading to\n> user-controlled one byte overflow. This commit fixes BZ #34008, or\n> CVE-2026-5450. Unify newsize calculation of allocated buffer.\n>\n> Signed-off-by: Rocket Ma \n> ---\n> stdio-common/vfscanf-internal.c | 74 ++++++++++++++++++++-------------\n> 1 file changed, 46 insertions(+), 28 deletions(-)\n>\n> diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c\n> index 59fc8208aa..6bf2a55876 100644\n> --- a/stdio-common/vfscanf-internal.c\n> +++ b/stdio-common/vfscanf-internal.c\n> @@ -265,6 +265,19 @@ char_buffer_add (struct char_buffer *buffer, CHAR_T ch)\n> *buffer->current++ = ch;\n> }\n> \n> +/* Calculate the result size of expanded char array in %ms, %mS,\n> + %m[, %lm[, %mc or %mC. */\n> +static __always_inline size_t\n> +grow_to_fit (size_t oldsize, int need, int extra)\n> +{\n> + /* extra = 0 if %m[cC], %m[cC] always have positive width */\n> + if ((extra && need < 0) || oldsize < need)\n> + return oldsize * 2;\n> + /* oldsize >= need:\n> + grow requested capacity and `extra' byte for `\\0' */\n> + return oldsize + need + extra;\n> +}\n\nThanks for working on this.\n\nThe last (extra) argument is constant. I'd suggest two functions with\ndescriptive names instead (maybe grow_to_fit_for_fixed for the %c\nfamily, and grow_to_fit_with_null for the %s/%[] family that perform\nnull termination). The new functions probably shouldn't be inline, so\nthat the compiler can apply its heuristics.\n\nAs written, the interaction with the extra argument and a negative\nneed argument is not quite obvious from the function alone (code and\ncomments). The function seems correct because need (called width in\nthe caller) can only be -1 for the %s/%[] case, where extra is 1.","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","libc-alpha@sourceware.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","libc-alpha@sourceware.org"],"Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=38.145.34.32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)","sourceware.org;\n dmarc=none (p=none dis=none) header.from=deneb.enyo.de","sourceware.org; spf=pass smtp.mailfrom=deneb.enyo.de","server2.sourceware.org;\n arc=none smtp.remote-ip=79.140.189.114"],"Received":["from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fq3G20DT4z1xy1\n\tfor ; Mon, 06 Apr 2026 19:00:58 +1000 (AEST)","from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 5B7754BA9009\n\tfor ; Mon, 6 Apr 2026 09:00:55 +0000 (GMT)","from cygnus.enyo.de (cygnus.enyo.de [79.140.189.114])\n by sourceware.org (Postfix) with ESMTPS id 7DC074BA23DA\n for ; Mon, 6 Apr 2026 09:00:34 +0000 (GMT)","from [172.17.203.2] (port=43635 helo=deneb.enyo.de)\n by albireo.enyo.de ([172.17.140.2]) with esmtps\n (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)\n id 1w9foo-0000000BnFq-3pOM; Mon, 06 Apr 2026 09:00:26 +0000","from fw by deneb.enyo.de with local (Exim 4.98.2)\n (envelope-from ) id 1w9foo-000000009Mi-3S5X;\n Mon, 06 Apr 2026 11:00:26 +0200"],"DKIM-Filter":["OpenDKIM Filter v2.11.0 sourceware.org 5B7754BA9009","OpenDKIM Filter v2.11.0 sourceware.org 7DC074BA23DA"],"DMARC-Filter":"OpenDMARC Filter v1.4.2 sourceware.org 7DC074BA23DA","ARC-Filter":"OpenARC Filter v1.0.0 sourceware.org 7DC074BA23DA","ARC-Seal":"i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1775466034; cv=none;\n b=gdvd/luYIsFmVEBHIAzIOjJUyEiYMqOn5084ozZOrRyWdqgwj+Md+F2lBoLHbzViGgTgC0XQZjeDlD9g80kwmwLe/8nETXajkkF89quW9ISizYIAzIdDUo9VxuzHP33+rzKF00/XI8iSacpjoWe6DgbJj1l8Z6LaUXWNqWvWba4=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1775466034; c=relaxed/simple;\n bh=gTx1m6S/1F3EXN+BWcwFyHkbSKmxJPyCdfgu3TRGwHk=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=V5h2fIypguf28xqDm8bvsSd5x77I1vheB6hqHYQZhFt3iN+JhkXvIAxURQG8FYxZfka3koBgp4sRwmj9v2OHLrV0fLhIMnL4dC5F5fLXEnoMdXGDkeApiS6fDOyK1HTcHb33qygFlfqBGF+JoNjtI5dsTDau9569ePfd6ucshJY=","ARC-Authentication-Results":"i=1; server2.sourceware.org","From":"Florian Weimer ","To":"Rocket Ma ","Cc":"libc-alpha@sourceware.org","Subject":"Re: [PATCH v4 2/2] stdio-common: Fix buffer overflow in scanf %mc\n [BZ #34008]","In-Reply-To":"<20260405181821.475180-3-marocketbd@gmail.com> (Rocket Ma's\n message of \"Sun, 5 Apr 2026 11:18:21 -0700\")","References":"<20260405181821.475180-1-marocketbd@gmail.com>\n <20260405181821.475180-3-marocketbd@gmail.com>","Date":"Mon, 06 Apr 2026 11:00:26 +0200","Message-ID":"<87bjfwbh05.fsf@mid.deneb.enyo.de>","MIME-Version":"1.0","Content-Type":"text/plain","X-BeenThere":"libc-alpha@sourceware.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Libc-alpha mailing list ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"}},{"id":3673791,"web_url":"http://patchwork.ozlabs.org/comment/3673791/","msgid":"","list_archive_url":null,"date":"2026-04-06T16:17:50","subject":"Re: [PATCH v4 2/2] stdio-common: Fix buffer overflow in scanf %mc [BZ\n #34008]","submitter":{"id":92898,"url":"http://patchwork.ozlabs.org/api/people/92898/","name":"Rocket Ma","email":"marocketbd@gmail.com"},"content":"Florian Weimer 于2026年4月6日周一 17:00写道:\n\n> The last (extra) argument is constant. I'd suggest two functions with\n> descriptive names instead (maybe grow_to_fit_for_fixed for the %c\n> family, and grow_to_fit_with_null for the %s/%[] family that perform\n> null termination). The new functions probably shouldn't be inline, so\n> that the compiler can apply its heuristics.\n\nIf the function need to be separated, then the old behavior, \"size_t\nnewsize = strsize + (strsize >= width ? width : strsize)\", is not\nworth a new function. And the function only expands to several\ninstructions, less than 10, observed via Compiler Explorer. I think\nit's OK to inline the function.\n\n> As written, the interaction with the extra argument and a negative\n> need argument is not quite obvious from the function alone (code and\n> comments). The function seems correct because need (called width in\n> the caller) can only be -1 for the %s/%[] case, where extra is 1.\n\nSince the behavior mentioned has become some sort of convention, the\nfunction should be OK? Readers has the constant to distinguish between\n%ms and %mc, and they can understand the code via enough comments.\nPersonally I think it's worth to put these two actions together to do\none thing: calculate the size of expanded array.","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","libc-alpha@sourceware.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","libc-alpha@sourceware.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=mn0hPmme;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=38.145.34.32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)","sourceware.org;\n\tdkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=mn0hPmme","sourceware.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","sourceware.org; spf=pass smtp.mailfrom=gmail.com","server2.sourceware.org;\n arc=pass smtp.remote-ip=2a00:1450:4864:20::630"],"Received":["from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fqDz01jFwz1yFt\n\tfor ; Tue, 07 Apr 2026 02:18:30 +1000 (AEST)","from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 05F4E4BA2E3D\n\tfor ; Mon, 6 Apr 2026 16:18:28 +0000 (GMT)","from mail-ej1-x630.google.com (mail-ej1-x630.google.com\n [IPv6:2a00:1450:4864:20::630])\n by sourceware.org (Postfix) with ESMTPS id 73AD24BA2E19\n for ; Mon, 6 Apr 2026 16:18:08 +0000 (GMT)","by mail-ej1-x630.google.com with SMTP id\n a640c23a62f3a-b980b35534eso823880766b.1\n for ; Mon, 06 Apr 2026 09:18:08 -0700 (PDT)"],"DKIM-Filter":["OpenDKIM Filter v2.11.0 sourceware.org 05F4E4BA2E3D","OpenDKIM Filter v2.11.0 sourceware.org 73AD24BA2E19"],"DMARC-Filter":"OpenDMARC Filter v1.4.2 sourceware.org 73AD24BA2E19","ARC-Filter":"OpenARC Filter v1.0.0 sourceware.org 73AD24BA2E19","ARC-Seal":["i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1775492288; cv=pass;\n b=wiEx6sV/ekxc3NHv7RSvmcV4mAlOaqSTdSjuKuduVKrWbg7p5gtFZk0WV/ecUoa+3CNFNvd9117ycwpOjjyWfaKTKeshlS1nEUhtOf29O1QxDYvHuXDFW+Jy+b3njA6iPf/gx3ouNypFGiqPp9ygnYDQfTe6Kw37zQQ65YLqQVc=","i=1; a=rsa-sha256; t=1775492287; cv=none;\n d=google.com; s=arc-20240605;\n b=J1HcN3faRncXqSc7L0DMNUbsB6Enuf11v9KhT31D4nUl5mO9KR65n1ZdDZ4GEvhZZZ\n TSvtbHyCV21u3UYJbVfXQKAIRoYAwkR42y/8CXyOKYu6+uiklD0/Cfb1K2DwfeDAZa8E\n J0kHrfvANRQM6lMRreQeyijDsZ9XUP9aunMpOTaEBlXFfVuEo1ItgGCV+Xsr2m6K0ZV+\n alh3EC9FuXAD2Im5xwEn1U1eVzkS5M4tblvg+isNrFSKKxUfSbVFuaTexy8C19B5QdWf\n 8qWDF2WUfAyS31deEzzueZ+H1RQYXzVOIHlvRT20Y+6pMlQtTSBDM/38l6wrrwwLmOfF\n oQ6w=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=sourceware.org; s=key;\n t=1775492288; c=relaxed/simple;\n bh=gFfV7vuhqlykQmOw1juVSshu8ZMjtUGClOgHvl9S5Ao=;\n h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;\n b=M5kb+jJHoFwExtM6ttH97brs5r9P104yplnOvGRuexujl23bLy5uPEqeGjb+/WERVKhiXiKPYRuooeCMfSvpUYv+pXEdppuoVQzTYMpBxbJFskL14RI5RTNGGVM2R2BtglvcJhZFnmflN6wLtQQ7Vq8Ml0wvCooZoLTONTTrfxg=","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:dkim-signature;\n bh=HInAFlCjPX85LFH2M9ZEMZThEjuSVbJnCfq18wM2HPQ=;\n fh=Y3fVUYVysRR9tj8tDuS7yKdstUqi5B7MxT5sXzDfyJs=;\n b=JwSJ6ivRT8G2t+7BhlQv71Ebus0NYxd5dx0I/w196poS4oUfJ8NFBSJVgmtlv95o1q\n 8y2YrPUwOpZjBlDYWxU8ukKs+apSuOlJrhdd7UBZDGRk+x1arw3GrOxM1/E/ywV3U5DR\n rzd3HRucU6XE7sAou4pI3ODo480zk69634P6Ut/M+ZjD64RT5QYmLD0FDDqpKuMKXFxo\n U/ZSwFjWBTyICA5Q2L55omIxu2Bs06Z3gFPe516O6IAZborPxaxru1Qz3+sHja/pOqWd\n auo8mZ1idLnEiupLJvcX3dCBIqIzRxYCc8yVQBYTBN8wb3JGJYAAhcdHygqN9yEzwuve\n 3kkg==; darn=sourceware.org"],"ARC-Authentication-Results":["i=2; server2.sourceware.org","i=1; mx.google.com; arc=none"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775492287; x=1776097087; darn=sourceware.org;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:from:to:cc:subject:date\n :message-id:reply-to;\n bh=HInAFlCjPX85LFH2M9ZEMZThEjuSVbJnCfq18wM2HPQ=;\n b=mn0hPmmenODZlpG4djtIftAd+ns3FhSLibqiH1K5aOPHVlTrRq+pMi+3MeL/4vA1BG\n r4gZouuBRhVWpK+odvpB6fhtvjTv0hhkoO4e/CTeLKj+AaawTmStLi2lyk3mBEeSpbYR\n /WBRWjaQ+IXjXrr/CR/NgoGCxwJfMbJc3faS6hlebPIHDy5G/vk+EE7p4+VYj98p2G0M\n mCy+hxAOC29x7ei/0OPAKTioQWQZDUqsAivp1Ez4wEdy08+BdYHWkScRXRH9iywqeOnA\n UiXdugK3rL882y8IpiyaFVq8qZ6hp3hsr9b8bMM2KM8RbAuvakMa1UbbcpoSHOg9uo/A\n pCEQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775492287; x=1776097087;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=HInAFlCjPX85LFH2M9ZEMZThEjuSVbJnCfq18wM2HPQ=;\n b=kYNyHMCRkXylRZYg4xf6QyZxRTyxht4eUURRr41b5KNADMK0SRioqI6aBioUh9A8sK\n C/9ln0Xl4nKfitEak2xQ3RxQ7Q3CJdvz7ffejZh3e3uQNl7jLWyciDu41vQWEzGjWO/E\n yf0F1i/L/60hpEES5Jg9pvvgJbeZccp+SMSL6Hqm8MhVyzc3A10EH4uQeXtyRQR56aM7\n cZT/dDa2YKeRjrv9o+Lp4MPJpsyy82jPi6lgsoonKAsc6HkasFkMPc0kT5orAwT8lxGE\n jwMWCnjJlewluKUIdkrYs+8NF76Wafq1cwz1MQoebHkfmp7W8yMNnaCf9OLLiZzd3G3W\n QtTQ==","X-Gm-Message-State":"AOJu0YzpJNccg/xeseyIn7/h4luRi5SnEuzotmpGMGd1unHnsktxr8g0\n FxwUhChHY2eMWLiuQqVGe/HRIsf2paKRj5AxLIq5ww+k/kuweoG+7PxIw3lW/YncsfU7TSAmoN+\n Xz8LTY9UzuDE+c2BXhSDELVviSAEeJwQ=","X-Gm-Gg":"AeBDiesNQAIqADHQMuovPeV2MUp04sdlpTyMLEqWj24XcVKYfy6JXnCxSzrSoEJffeU\n 94YNhR2iKLjWhKjnshcIIw7DGC2a3tq9N12zUzxlp3V9QSBEla2L9cVoE5qFEU53ei9Jopyz1t7\n rdsjO7U0n1PTSNr86TjiYFFvSh6NsVSC7m8kTJN/ikNzWjaAQFIUye5uM5HhfoqBfBbAtCT7yrK\n dCd555cQM1mIZxxc7ooLr42oOk+FPcM7sD487vdQ37HQHjnBVsCZXAgXVqPVg2Vn14aD1NA6Pry\n IFbKn2Qj8qtZ1AxlZXhXdsEbSu81wmFd2aEFUR3ZMXo+RbiOUb4dMU5DM1TQTDjgzWAPZHBuoTH\n reItO/h5YmvHLxBJDRUmHqro=","X-Received":"by 2002:a17:907:1c1b:b0:b9c:11ee:3c28 with SMTP id\n a640c23a62f3a-b9c658ec4c6mr598680566b.22.1775492286534; Mon, 06 Apr 2026\n 09:18:06 -0700 (PDT)","MIME-Version":"1.0","References":"<20260405181821.475180-1-marocketbd@gmail.com>\n <20260405181821.475180-3-marocketbd@gmail.com>\n <87bjfwbh05.fsf@mid.deneb.enyo.de>","In-Reply-To":"<87bjfwbh05.fsf@mid.deneb.enyo.de>","From":"Rocket Ma ","Date":"Tue, 7 Apr 2026 00:17:50 +0800","X-Gm-Features":"AQROBzBTCXFwP1XopzFr3e3mrpWk7yj7_0JFxblRBCR6ArmEDpj6KA8SbQnjAJ4","Message-ID":"\n ","Subject":"Re: [PATCH v4 2/2] stdio-common: Fix buffer overflow in scanf %mc [BZ\n #34008]","To":"Florian Weimer ","Cc":"libc-alpha@sourceware.org","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable","X-BeenThere":"libc-alpha@sourceware.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Libc-alpha mailing list ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"}}]