{"id":2222924,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2222924/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/patch/20260414021708.3062753-4-marocketbd@gmail.com/","project":{"id":41,"url":"http://patchwork.ozlabs.org/api/1.1/projects/41/?format=json","name":"GNU C Library","link_name":"glibc","list_id":"libc-alpha.sourceware.org","list_email":"libc-alpha@sourceware.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260414021708.3062753-4-marocketbd@gmail.com>","date":"2026-04-14T02:17:08","name":"[v5,3/3] stdio-common: Optimize %ms expansion for best fit","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"c5a6f78d0cb01e5c790b9bc81241b9c3d80ceed6","submitter":{"id":92898,"url":"http://patchwork.ozlabs.org/api/1.1/people/92898/?format=json","name":"Rocket Ma","email":"marocketbd@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/glibc/patch/20260414021708.3062753-4-marocketbd@gmail.com/mbox/","series":[{"id":499766,"url":"http://patchwork.ozlabs.org/api/1.1/series/499766/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/list/?series=499766","date":"2026-04-14T02:17:05","name":"Re: [PATCH v4 2/2] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]","version":5,"mbox":"http://patchwork.ozlabs.org/series/499766/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222924/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222924/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","libc-alpha@sourceware.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","libc-alpha@sourceware.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=COinE24h;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=38.145.34.32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)","sourceware.org;\n\tdkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=COinE24h","sourceware.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","sourceware.org; spf=pass smtp.mailfrom=gmail.com","server2.sourceware.org;\n arc=none smtp.remote-ip=2607:f8b0:4864:20::1335"],"Received":["from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvnyW6v4Xz1yCv\n\tfor ; Tue, 14 Apr 2026 12:18:59 +1000 (AEST)","from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 17FAC4BA2E29\n\tfor ; Tue, 14 Apr 2026 02:18:58 +0000 (GMT)","from mail-dy1-x1335.google.com (mail-dy1-x1335.google.com\n [IPv6:2607:f8b0:4864:20::1335])\n by sourceware.org (Postfix) with ESMTPS id D59684BA23C1\n for ; Tue, 14 Apr 2026 02:17:49 +0000 (GMT)","by mail-dy1-x1335.google.com with SMTP id\n 5a478bee46e88-2d868d014a5so1873335eec.1\n for ; Mon, 13 Apr 2026 19:17:49 -0700 (PDT)","from localhost ([23.94.240.252]) by smtp.gmail.com with UTF8SMTPSA\n id\n 5a478bee46e88-2d9875ce4fcsm5907865eec.6.2026.04.13.19.17.47\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 13 Apr 2026 19:17:48 -0700 (PDT)"],"DKIM-Filter":["OpenDKIM Filter v2.11.0 sourceware.org 17FAC4BA2E29","OpenDKIM Filter v2.11.0 sourceware.org D59684BA23C1"],"DMARC-Filter":"OpenDMARC Filter v1.4.2 sourceware.org D59684BA23C1","ARC-Filter":"OpenARC Filter v1.0.0 sourceware.org D59684BA23C1","ARC-Seal":"i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1776133070; cv=none;\n b=PnbP+0yBFkZK76MHxx/HGXd5abybOeAEs1Hvd5MQdqlbmu5LW27eLrNBNbGwK54FClvoAGHWjnSfvSMYxT8vWI2lyTxIsvA+YVogHpO6Q8cb1RAwyY6B7nEqbMG8dHY5SBjKlqPXVmgh0XK0ZNipvhpU+MyBQA+aBoef6duiEi4=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1776133070; c=relaxed/simple;\n bh=1mCc59u3339DpV/K1EqKkfQ0jj7NrBm4YsPeJ12Sao8=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=lnNBfVukgFHQM/j+qFOGNE5Boh8lalWP4qE7L/Ry0sqztAL4wlhhnhzfmbSE/tPUzToj0UJ2kfykSHGWtpIStH5NhPIc5tO7m5RbQOVqqRg2MODwUrVlxQZlAoPdpeWzX0XUYaUSI/tYDJbc68VW1w6ZGRsr9c+4fY0xgvA7Es4=","ARC-Authentication-Results":"i=1; server2.sourceware.org","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776133069; x=1776737869; darn=sourceware.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=707EKk2LyV2UUbvvCNv3p4vgsOc1nN2MN134zFXRqRg=;\n b=COinE24h4Ovqy4aq9I0VjZZ2Lie8ROgxx1n38lHkcW0P7ZM8pKYBXqzCXMwW4aGYQ3\n YynhHwPlI0H9oUjsQzp2TVx/jzy6Kc448a8KURWQusFizAYTXfN9tS/8c6Kr3R0QNBEs\n rTzkt7aU9RiHwcsMbJfsU+jbXe97RQra2wZbCgmlPzq6oExYYr61fQaXcdoYejsOcdOh\n +jDR6MOAE9tPLX0SoZE/EbWXKwc3GrupBMxq099KIgli6rpFDlr/KxHMXiOHcD1ILlkh\n vrSL4sOamitl9xTGXY6P8is9bsNyTVYtX8r/KLJi/S1Kcq0uoNT+VYoVoXEfGJ9a0hLg\n Ci2g==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776133069; x=1776737869;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=707EKk2LyV2UUbvvCNv3p4vgsOc1nN2MN134zFXRqRg=;\n b=kzpRx/3vDtOZ6CnWROHXaqyL5QEZzjqCjhhLBQ1XmnBXSxI9sxZhPkIKgF07QSXRLX\n 3ju5eEzQ5QV+uMR94saGt0LHEPMkb8nvK7vxFm96DSXQdwrGFVS21KbjswWtDgCClUkS\n z7DX82JSRhBnj2tJGu4yifozeKqzJPHT8llu41g6onxbbxQDgktuVLEkC+mjZQsh9tpj\n cSSD0p3DYUbVZ423Z2NgUwMn+h8pgVWYVYAzUbJXceaNUVRviT2ekIIqEi1xtKYwnCcg\n D5ueiPy3PQvMuHuhZTSsAQKwkLj9zkJ7sfAAnSyxY0XWpljVE6PnegWSNQ9nWffTIdoU\n PhOg==","X-Gm-Message-State":"AOJu0YxES9oUK+k5LQDlHvWR0CcEidWbinb7D0Ou3oTzWJQkr0H+hOFS\n V9kMPeU98tl4MZ3UQ4XtDenqWSTUmvGm9zKmGE/gSs30V7wakDgL3HVY491yn+l2","X-Gm-Gg":"AeBDiev2wMAQZMpMapCMCkmgdff67zEqiicraQ/uESOtBnhj+JOY5T8EUQlokfq8Kuh\n aDrULH0Z+2ntBpVwAH6o4wGxggoOruHbpbxACaZUO+Glp2fJWxed+daY/ZV+BGtF8i6BA3UL2vU\n OXeObAedRv4L8zawIf4sZllrIhP3BQuhCjCJLZagwm8ybkYctYFEGn9p8DmUJryW8O2ElvBgyg/\n DhZRJVwEAvnsXZDIg3FiKWqGpVwp5SabYJap99HVZoo4MvHEg4HzjWvkTzdq70Dd8/QKvfvZXO7\n UChARXP90aS6ar2v8Ylj5gEayTXfCK4+4lMaTUgAM+8RtA8Qtz4eSpOAdVE+zHQ1eCRKFvnU9he\n RTqGgldY8n5pN8/WZ0EIz/ImIiFjkoJYjdeWGZRiH7OiKNhiZp9atg5d4/R+XsRGsmGxRgEOHps\n 0ks5dMILAHxfikd1M+yTu4e5nWgty7YXH8fDjUggRWC771UMMJ3vnUfPYNqJbq6e1KrONY609ab\n ZlTPTN0AfU5uOToDDnMNPWz2V06gJe/1SL2yN7ozF9sQ9wlbW1KdZHsz6y/nP0ieJ7olsK4ovA=","X-Received":"by 2002:a05:7300:dc8b:b0:2d9:f0b3:1d98 with SMTP id\n 5a478bee46e88-2d9f0b33952mr2553065eec.7.1776133068647;\n Mon, 13 Apr 2026 19:17:48 -0700 (PDT)","From":"Rocket Ma ","To":"Carlos O'Donell ","Cc":"libc-alpha@sourceware.org,\n\tFlorian Weimer ","Subject":"[PATCH v5 3/3] stdio-common: Optimize %ms expansion for best fit","Date":"Mon, 13 Apr 2026 19:17:08 -0700","Message-ID":"<20260414021708.3062753-4-marocketbd@gmail.com>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<20260414021708.3062753-1-marocketbd@gmail.com>","References":"<20260414021708.3062753-1-marocketbd@gmail.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-BeenThere":"libc-alpha@sourceware.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Libc-alpha mailing list ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"},"content":"* stdio-common/vfscanf-internal.c: Add grow_to_fit to calculate the size\nof expanded string during %ms/%m[ scan for best fit.\n\nSigned-off-by: Rocket Ma \n---\n stdio-common/vfscanf-internal.c | 63 ++++++++++++++++++++++-----------\n 1 file changed, 42 insertions(+), 21 deletions(-)","diff":"diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c\nindex 3d11ac261e..8eec294a98 100644\n--- a/stdio-common/vfscanf-internal.c\n+++ b/stdio-common/vfscanf-internal.c\n@@ -265,6 +265,17 @@ char_buffer_add (struct char_buffer *buffer, CHAR_T ch)\n *buffer->current++ = ch;\n }\n \n+/* Calculate the result size of expanded char array in %ms, %mS,\n+ %m[ or %lm[. */\n+static __always_inline size_t\n+grow_to_fit (size_t oldsize, int need)\n+{\n+ if (need < 0 || oldsize < need)\n+ return oldsize * 2;\n+ /* oldsize >= need: grow requested capacity and 1 byte for `\\0' */\n+ return oldsize + need + 1;\n+}\n+\n /* Read formatted input from S according to the format string\n FORMAT, using the argument list in ARG.\n Return the number of assignments made, or -1 for an input error. */\n@@ -804,7 +815,8 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t && *strptr + strsize - str <= MB_LEN_MAX)\n \t\t {\n \t\t /* We have to enlarge the buffer if the `m' flag\n-\t\t\t was given. */\n+\t\t\t was given. And we may not expand str by width\n+\t\t\t as the wcrtomb may return various bytes */\n \t\t size_t strleng = str - *strptr;\n \t\t char *newstr;\n \n@@ -1098,7 +1110,8 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t&& *strptr + strsize - str <= MB_LEN_MAX)\n \t\t {\n \t\t\t/* We have to enlarge the buffer if the `a' or `m'\n-\t\t\t flag was given. */\n+\t\t\t flag was given. And we may not expand str by\n+\t\t\t width as the wcrtomb may return various bytes */\n \t\t\tsize_t strleng = str - *strptr;\n \t\t\tchar *newstr;\n \n@@ -1156,7 +1169,9 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t && (char *) str == *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t str = (char *) realloc (*strptr, 2 * strsize);\n+\t\t\t size_t newsize = grow_to_fit (strsize, width);\n+\n+\t\t\t str = (char *) realloc (*strptr, newsize);\n \t\t\t if (str == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -1188,7 +1203,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t {\n \t\t\t *strptr = (char *) str;\n \t\t\t str += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t\t}\n \t\t }\n@@ -1286,9 +1301,10 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t&& wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n \t\t\t/* Enlarge the buffer. */\n-\t\t\twstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize)\n-\t\t\t\t\t\t * sizeof (wchar_t));\n+\t\t\tsize_t newsize = grow_to_fit (strsize, width);\n+\n+\t\t\twstr = (wchar_t *) realloc (\n+\t\t\t *strptr, newsize * sizeof (wchar_t));\n \t\t\tif (wstr == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -1322,7 +1338,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t {\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t }\n \t\t }\n@@ -1362,9 +1378,10 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n \t\t /* Enlarge the buffer. */\n+\t\t size_t newsize = grow_to_fit (strsize, width);\n+\n \t\t wstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize\n-\t\t\t\t\t\t * sizeof (wchar_t)));\n+\t\t\t\t\t\t newsize * sizeof (wchar_t));\n \t\t if (wstr == NULL)\n \t\t\t{\n \t\t\t /* Can't allocate that much. Last-ditch effort. */\n@@ -1397,7 +1414,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t{\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t}\n \t\t }\n \t\t}\n@@ -2754,9 +2771,10 @@ digits_extended_fail:\n \t\t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t wstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize)\n-\t\t\t\t\t\t * sizeof (wchar_t));\n+\t\t\t size_t newsize = grow_to_fit (strsize, width);\n+\n+\t\t\t wstr = (wchar_t *) realloc (\n+\t\t\t *strptr, newsize * sizeof (wchar_t));\n \t\t\t if (wstr == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -2790,7 +2808,7 @@ digits_extended_fail:\n \t\t\t {\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t\t}\n \t\t }\n@@ -2839,9 +2857,10 @@ digits_extended_fail:\n \t\t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t wstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize\n-\t\t\t\t\t\t * sizeof (wchar_t)));\n+\t\t\t size_t newsize = grow_to_fit (strsize, width);\n+\n+\t\t\t wstr = (wchar_t *) realloc (\n+\t\t\t *strptr, newsize * sizeof (wchar_t));\n \t\t\t if (wstr == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -2875,7 +2894,7 @@ digits_extended_fail:\n \t\t\t {\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t\t}\n \t\t }\n@@ -2983,7 +3002,9 @@ digits_extended_fail:\n \t\t if ((flags & MALLOC)\n \t\t\t && *strptr + strsize - str <= MB_LEN_MAX)\n \t\t\t{\n-\t\t\t /* Enlarge the buffer. */\n+\t\t\t /* Enlarge the buffer. And we may not\n+\t\t\t expand str by width as the wcrtomb may\n+\t\t\t return various bytes */\n \t\t\t size_t strleng = str - *strptr;\n \t\t\t char *newstr;\n \n@@ -3051,7 +3072,7 @@ digits_extended_fail:\n \t\t\t && (char *) str == *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t size_t newsize = 2 * strsize;\n+\t\t\t size_t newsize = grow_to_fit (strsize, width);\n \n \t\t\tallocagain:\n \t\t\t str = (char *) realloc (*strptr, newsize);\n","prefixes":["v5","3/3"]}