{"id":2222923,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2222923/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/patch/20260414021708.3062753-3-marocketbd@gmail.com/","project":{"id":41,"url":"http://patchwork.ozlabs.org/api/1.1/projects/41/?format=json","name":"GNU C Library","link_name":"glibc","list_id":"libc-alpha.sourceware.org","list_email":"libc-alpha@sourceware.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260414021708.3062753-3-marocketbd@gmail.com>","date":"2026-04-14T02:17:07","name":"[v5,2/3] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"3546b05d31ad5de7c762d16c84c5055603e9b224","submitter":{"id":92898,"url":"http://patchwork.ozlabs.org/api/1.1/people/92898/?format=json","name":"Rocket Ma","email":"marocketbd@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/glibc/patch/20260414021708.3062753-3-marocketbd@gmail.com/mbox/","series":[{"id":499766,"url":"http://patchwork.ozlabs.org/api/1.1/series/499766/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/list/?series=499766","date":"2026-04-14T02:17:05","name":"Re: [PATCH v4 2/2] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]","version":5,"mbox":"http://patchwork.ozlabs.org/series/499766/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222923/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222923/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","libc-alpha@sourceware.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","libc-alpha@sourceware.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=XABm6NYl;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)","sourceware.org;\n\tdkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=XABm6NYl","sourceware.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","sourceware.org; spf=pass smtp.mailfrom=gmail.com","server2.sourceware.org;\n arc=none smtp.remote-ip=2607:f8b0:4864:20::122e"],"Received":["from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvnxY34yLz1yCv\n\tfor ; Tue, 14 Apr 2026 12:18:09 +1000 (AEST)","from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 911FF4BA23C1\n\tfor ; Tue, 14 Apr 2026 02:18:07 +0000 (GMT)","from mail-dl1-x122e.google.com (mail-dl1-x122e.google.com\n [IPv6:2607:f8b0:4864:20::122e])\n by sourceware.org (Postfix) with ESMTPS id CF0B84BA2E2D\n for ; Tue, 14 Apr 2026 02:17:46 +0000 (GMT)","by mail-dl1-x122e.google.com with SMTP id\n a92af1059eb24-12c565476d7so1036559c88.1\n for ; Mon, 13 Apr 2026 19:17:46 -0700 (PDT)","from localhost ([23.94.240.252]) by smtp.gmail.com with UTF8SMTPSA\n id\n a92af1059eb24-12c347fa2c9sm16350858c88.15.2026.04.13.19.17.44\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 13 Apr 2026 19:17:45 -0700 (PDT)"],"DKIM-Filter":["OpenDKIM Filter v2.11.0 sourceware.org 911FF4BA23C1","OpenDKIM Filter v2.11.0 sourceware.org CF0B84BA2E2D"],"DMARC-Filter":"OpenDMARC Filter v1.4.2 sourceware.org CF0B84BA2E2D","ARC-Filter":"OpenARC Filter v1.0.0 sourceware.org CF0B84BA2E2D","ARC-Seal":"i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1776133067; cv=none;\n b=saQoqC/czi7PABqu0xsmmhl+qCVPzr3ng95h+Nn+lKHXbIxmBQUiV3CS1IYLtH3Rbc85CXESLe9yEBhr8NNkD0q4T6RoR7hDQoSQrXZoltxrRs6gaxjLoeephLxUFSIJLskoor6hKTsR+uY14O1B39NINLKZKq4NZFHslIdKjbo=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1776133067; c=relaxed/simple;\n bh=lCT3KAIUAYzW5Hx64+E02onVgnXAgMF5FTd9gmcorXs=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=wWI+LJghCVCKTR6xITmR72C3Kh7ipLLZC6n0wk3NkoP3hIEOOhlWRLXvdQ6tvSUDOTh/CwFAUS1OhlIaXrVqhl65YDJk1WS53f9Wvev8f10GjKuTGQCWDEXoesG8lncpN7JfxMCutgCEk5GOi1OC7kE74kCHg4Me8ozWYt+22PU=","ARC-Authentication-Results":"i=1; server2.sourceware.org","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776133066; x=1776737866; darn=sourceware.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=KoUY2I56RuW555YLWyPKvXGyH27BNLWUl/tltmVh/v0=;\n b=XABm6NYlS2Czq7tOVt/nqIBUdWIN73GqCbu89xfsaC3E5sxIpiGnivWOUpQ8BrnwYr\n xLB0xAJSKtzmOuB6agVpbvjEz3VzboXCr5dNH2AXDgtX7enEC1TJhF61tYY1TevPOwYf\n 50yk0Z8iDPFh+XVKS0yCIeH+Buwmmq00wls/MomZXafvl3oUXRy5XaCvTlw18E5i1zes\n m99blSQ2CnTdYi5GbegUXpuG2fT4jknQz2zmCb7T6+7/WPswOgxhtevcwm/KJrx/LTpc\n 1rgNnQrD8VSj4/j62yW+lv4oyJDJKgkgOlaxxTWM/lFhjaqBCFRT4bYG16epBzg+xks9\n vGPw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776133066; x=1776737866;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=KoUY2I56RuW555YLWyPKvXGyH27BNLWUl/tltmVh/v0=;\n b=lW4SQZs8KbWJeb9dOyyL4ITavtZ9RTNdWGESw5zkVrRv8oTSL2aHAsLDk0QZIxwl/J\n TMnmK9KkwtESiV/WV5KKT41fJdjxs2VkkR65ZcaVGmgw/Juq+xT/qe5Syc6KUtBKSM+s\n DGUVrVQmgqa90XMdnfFBYzMd+zMLQ7Mb2ZFVg+8yf+cLuf6ftONDVag3lkvt9mEniuHw\n x1x2CczVTcIxnzEVKAImTM1qoElVys+TbiMAIxsl9uv5ArchxGzJBE32jL4ldnbRXzlq\n zAA6ld3OmGCNY8NAcgwYf8eO2lh2vUf1qIgJ5UnwFlmQIj4cJofzU8u+pXsq4HGislsF\n h9Fg==","X-Gm-Message-State":"AOJu0YzpW15TAEqAv53yA2NdFJKai7GgTCZV9wz/jQx+lT4h9Itphm5i\n 5HJ5lLuLYXn8saJQcQ4GR7GgwpPwuBzBZBtse9br2JtvlNs5Gl+Ze3YF","X-Gm-Gg":"AeBDievKMOuTSscT9ZI2wk6hSR4dPo27ZatcYD/zIPPCRWSeWdSW0n5vuhFiCWk7sGe\n xUeMnA0CacIWWxzR5WAMgOkZJ7VChkdoZs3RUz/6RXLQGjH97uSaPAraeCMcGO8v976CnmITzIB\n YHeCUwJOnhOuotBkVHte0zzj9G67egOHF7oTlvlKhB4gjhNSiJsq2HXZolWK0Kni2EH6/gMFxpl\n 9FQ+/2U+xmS/047v14c0SfFE0WUWztjfkXGE7/wrx2Yr6GK7DXb6tq4tx5s4FACoZxB7Ozph8Si\n kgbxDjmwjlD64lrYrYHgszVdq/agLv5ubn8whM9IC5g7JFOswK3c/c8r9dKLjf+vkfsadpukYrM\n IJha3DCtJ8Eh7oJXLbaDaJtlo4lQcknEgxnesHpPg6ZtE5k9vya+BbCszFr2ShWB5FhsNFa/0Uy\n xtVE0NIu2HWoXbeMAL9t8rYjEPekQHyPKY+QP2700gxgYg9URmZ/mVr8usABrQze83yZK/W9NVq\n 0rNYrJPjeCoJdQj5IosYEiiezVGIsXpVvJy24jjNPw9QJKrNKq82EaOd0xGbgONVOYhDoeh1Hc=","X-Received":"by 2002:a05:7022:618e:b0:12a:713b:8958 with SMTP id\n a92af1059eb24-12c34e5a827mr9215745c88.10.1776133065747;\n Mon, 13 Apr 2026 19:17:45 -0700 (PDT)","From":"Rocket Ma ","To":"Carlos O'Donell ","Cc":"libc-alpha@sourceware.org,\n\tFlorian Weimer ","Subject":"[PATCH v5 2/3] stdio-common: Fix buffer overflow in scanf %mc [BZ\n #34008]","Date":"Mon, 13 Apr 2026 19:17:07 -0700","Message-ID":"<20260414021708.3062753-3-marocketbd@gmail.com>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<20260414021708.3062753-1-marocketbd@gmail.com>","References":"<20260414021708.3062753-1-marocketbd@gmail.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-BeenThere":"libc-alpha@sourceware.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Libc-alpha mailing list ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"},"content":"* stdio-common/vfscanf-internal.c: When enlarging allocated buffer with\nformat %mc or %mC, glibc allocates one byte less, leading to\nuser-controlled one byte overflow. This commit fixes BZ #34008, or\nCVE-2026-5450.\n\nSigned-off-by: Rocket Ma \n---\n stdio-common/vfscanf-internal.c | 7 +++----\n 1 file changed, 3 insertions(+), 4 deletions(-)","diff":"diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c\nindex 59fc8208aa..3d11ac261e 100644\n--- a/stdio-common/vfscanf-internal.c\n+++ b/stdio-common/vfscanf-internal.c\n@@ -855,8 +855,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n \t\t\t size_t newsize\n-\t\t\t = strsize\n-\t\t\t + (strsize >= width ? width - 1 : strsize);\n+\t\t\t = strsize + (strsize >= width ? width : strsize);\n \n \t\t\t str = (char *) realloc (*strptr, newsize);\n \t\t\t if (str == NULL)\n@@ -929,7 +928,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n \t\t size_t newsize\n-\t\t\t= strsize + (strsize > width ? width - 1 : strsize);\n+\t\t\t= strsize + (strsize >= width ? width : strsize);\n \t\t /* Enlarge the buffer. */\n \t\t wstr = (wchar_t *) realloc (*strptr,\n \t\t\t\t\t\t newsize * sizeof (wchar_t));\n@@ -984,7 +983,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n \t\t size_t newsize\n-\t\t = strsize + (strsize > width ? width - 1 : strsize);\n+\t\t = strsize + (strsize >= width ? width : strsize);\n \t\t /* Enlarge the buffer. */\n \t\t wstr = (wchar_t *) realloc (*strptr,\n \t\t\t\t\t\tnewsize * sizeof (wchar_t));\n","prefixes":["v5","2/3"]}