{"id":2220004,"url":"http://patchwork.ozlabs.org/api/patches/2220004/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/patch/20260405181821.475180-3-marocketbd@gmail.com/","project":{"id":41,"url":"http://patchwork.ozlabs.org/api/projects/41/?format=json","name":"GNU C Library","link_name":"glibc","list_id":"libc-alpha.sourceware.org","list_email":"libc-alpha@sourceware.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260405181821.475180-3-marocketbd@gmail.com>","list_archive_url":null,"date":"2026-04-05T18:18:21","name":"[v4,2/2] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"045d37a6a25b8e5c0f27d0cbba117f75888f7a82","submitter":{"id":92898,"url":"http://patchwork.ozlabs.org/api/people/92898/?format=json","name":"Rocket Ma","email":"marocketbd@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/glibc/patch/20260405181821.475180-3-marocketbd@gmail.com/mbox/","series":[{"id":498801,"url":"http://patchwork.ozlabs.org/api/series/498801/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/list/?series=498801","date":"2026-04-05T18:18:19","name":"stdio-common: Fix heap overflow in scanf %mc pattern [BZ #34008]","version":4,"mbox":"http://patchwork.ozlabs.org/series/498801/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2220004/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220004/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","libc-alpha@sourceware.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","libc-alpha@sourceware.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=ansEIITu;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=38.145.34.32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)","sourceware.org;\n\tdkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=ansEIITu","sourceware.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","sourceware.org; spf=pass smtp.mailfrom=gmail.com","server2.sourceware.org;\n arc=none smtp.remote-ip=2607:f8b0:4864:20::1235"],"Received":["from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fpgjl2vfTz1xy1\n\tfor ; Mon, 06 Apr 2026 04:20:11 +1000 (AEST)","from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 665024BA2E28\n\tfor ; Sun, 5 Apr 2026 18:20:09 +0000 (GMT)","from mail-dl1-x1235.google.com (mail-dl1-x1235.google.com\n [IPv6:2607:f8b0:4864:20::1235])\n by sourceware.org (Postfix) with ESMTPS id C625E4BA2E28\n for ; Sun, 5 Apr 2026 18:18:50 +0000 (GMT)","by mail-dl1-x1235.google.com with SMTP id\n a92af1059eb24-126ea4e9694so7241336c88.1\n for ; Sun, 05 Apr 2026 11:18:50 -0700 (PDT)","from localhost ([23.94.240.252]) by smtp.gmail.com with UTF8SMTPSA\n id\n 5a478bee46e88-2cb7ec57f9dsm8748605eec.11.2026.04.05.11.18.47\n for \n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sun, 05 Apr 2026 11:18:47 -0700 (PDT)"],"DKIM-Filter":["OpenDKIM Filter v2.11.0 sourceware.org 665024BA2E28","OpenDKIM Filter v2.11.0 sourceware.org C625E4BA2E28"],"DMARC-Filter":"OpenDMARC Filter v1.4.2 sourceware.org C625E4BA2E28","ARC-Filter":"OpenARC Filter v1.0.0 sourceware.org C625E4BA2E28","ARC-Seal":"i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1775413131; cv=none;\n b=iCJxTBE9VWzMD5O459N/xgPKAvVMJEJ9q67/z5fAKAkhkOOC5pHkKSCXp8m+BdzTefcCkAc6AZ6+Zh352hejkVcno+mJNEtWIkIoXE0d/amYzuZbFItGI4hSDRdIyYoiqPwAv44EuL9fhyIeiL+C07VUTKUKd459pe/GUlz+4jA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1775413131; c=relaxed/simple;\n bh=UHhYNrw2hM5lF4xWrsWeUnjlTl+g7E/YTsOJxXzzjf0=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=ppGOcuuVBuq1iZW9KfeB1nwgHAMSkQqEPoHT5HPSXOxQev1+K3eo+EDr0clKOqNEO2/6rvG9FTv8LQa0GZBnPcli+xS2+OvO03uN1xpkpaqW3hKqns39we1ZzzTChvbeCPK6SP2vczeHY0tu4PxgKPnragRapejXaXhDCeFc7eA=","ARC-Authentication-Results":"i=1; server2.sourceware.org","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775413129; x=1776017929; darn=sourceware.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:from:to:cc:subject:date:message-id\n :reply-to; bh=5yHx8e+06vpPOinRWAo0pAGN7WVNjEgVLxVfB+/kHPc=;\n b=ansEIITuyLIk075Mhc0QE6bWdaVa5iBsYz7YukRppyEBubt3B1EEadZZIlY2be5gtV\n OYnvr3zt8JGcYBxz7HQVLZeru47bapbDqQbduuc2VMcADLSGsSfwQpJTLXG7ZDqWNCeF\n 6m9/2irZQnqSdN2T1nunMAbYBh1JsWqj6yDKmFnJhGEGZRYzRGEcktdyRpoFZr1x3zDk\n kbdXg+LRsI8zuJOB7SllF2jS99yocK1amlpu0bPFDarNCqe4Vddo5yt257gARDxb9QDj\n CodxKkIOvpnTMIxI7My61DwFBAuUsMwxGBJKsR9AhWA4aacQA/GhczkRAnjveb8TsvS5\n se6w==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775413129; x=1776017929;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=5yHx8e+06vpPOinRWAo0pAGN7WVNjEgVLxVfB+/kHPc=;\n b=CKguNwsmCcPS2kd37zAVh7rzskPN1HYvb/e+5zureTEX/L0BKtm7nlVVxCLhwAyLag\n /Y1cpSg7AJYXWOa7CU/o/ow/Xmnr3w2uzc7Dd5IVFzOFrhFAuXrkcicKkYlTjlzmPlg2\n QZbx0q6ZhqVuaeb5tL0swNzWI29JPkE6g8kutBrhuxS3uCKjelOvMSqVFNsZodcOPXRG\n r6Erne9hYe319KcZZyzKbl8rmAdu/mhqGeDye+XeypaOp9tpClKCO+uze+sBtmcqpemK\n snqtqjOYE5ITxR06vGBGBU+/bmCCZ+ypIhBVN5VG8AuWXBrzGiVpnq32nBQDrBiawhEl\n sH8A==","X-Gm-Message-State":"AOJu0Yyj6xRdiVrf+K2OJyP6FQq/7bFL/otrxCezBTKzHKiBo37imJFZ\n aTG3CS2npviKdshHADOsleJgEn1ivnO0o74QFpEUmHzvawEsW6BmtnMgUdJtow1q","X-Gm-Gg":"AeBDievmQ8f9vWCfQckKgI3vQYrKnkJo8Ou5JQ0f+pXZUDt6tdo0L4NKdipVCWc3kZd\n sFG2FRY0pcnNNSqRF0EYDo3JRtu1faC6GoIhkOCYqO93AnaMdjZTvDB1ge+/IFyxqob80CBopYB\n bJuVts6t+QjZNz8uzzYPn8NAzrLUGbiIGkA3yj7/Ikog8x6IZuvkX0RtrRLGUSK71UGlrTqkEGU\n FHLL5X3xjkKCuVqNEgAYNROXaxL2fHrNN3iLjIzwqzLUAQBzjJt6Cco9eU4E8QpmZHyyr6u9Toa\n Yn/uPHFblY3m7nKFRsf+V+Vd9HCMQyG95vkBDA5d7zJTl8WkzukFsj/tygfCi//5NpKL8xooQzv\n 78ZmmvzGs+Ks6UG+0LVdxDeE5aLclyePEKxLgiD0+EkQEIAa4v/rZ2GY0rbCe8GPNGAUnJYcwrc\n HQxDRtCW4oN8n89FKeH8Nr4Z3+z8O3urF8WzgU8qffwmtZ5K0yfq2IpotnvXYjQEvY+W7fCzoiN\n 1mpaZYH","X-Received":"by 2002:a05:7022:2221:b0:127:33e0:ea33 with SMTP id\n a92af1059eb24-12bfb74c9bcmr5068263c88.22.1775413129046;\n Sun, 05 Apr 2026 11:18:49 -0700 (PDT)","From":"Rocket Ma ","To":"libc-alpha@sourceware.org","Subject":"[PATCH v4 2/2] stdio-common: Fix buffer overflow in scanf %mc [BZ\n #34008]","Date":"Sun, 5 Apr 2026 11:18:21 -0700","Message-ID":"<20260405181821.475180-3-marocketbd@gmail.com>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<20260405181821.475180-1-marocketbd@gmail.com>","References":"<20260405181821.475180-1-marocketbd@gmail.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-BeenThere":"libc-alpha@sourceware.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Libc-alpha mailing list ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"},"content":"* stdio-common/vfscanf-internal.c: When enlarging allocated buffer with\nformat %mc or %mC, glibc allocates one byte less, leading to\nuser-controlled one byte overflow. This commit fixes BZ #34008, or\nCVE-2026-5450. Unify newsize calculation of allocated buffer.\n\nSigned-off-by: Rocket Ma \n---\n stdio-common/vfscanf-internal.c | 74 ++++++++++++++++++++-------------\n 1 file changed, 46 insertions(+), 28 deletions(-)","diff":"diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c\nindex 59fc8208aa..6bf2a55876 100644\n--- a/stdio-common/vfscanf-internal.c\n+++ b/stdio-common/vfscanf-internal.c\n@@ -265,6 +265,19 @@ char_buffer_add (struct char_buffer *buffer, CHAR_T ch)\n *buffer->current++ = ch;\n }\n \n+/* Calculate the result size of expanded char array in %ms, %mS,\n+ %m[, %lm[, %mc or %mC. */\n+static __always_inline size_t\n+grow_to_fit (size_t oldsize, int need, int extra)\n+{\n+ /* extra = 0 if %m[cC], %m[cC] always have positive width */\n+ if ((extra && need < 0) || oldsize < need)\n+ return oldsize * 2;\n+ /* oldsize >= need:\n+ grow requested capacity and `extra' byte for `\\0' */\n+ return oldsize + need + extra;\n+}\n+\n /* Read formatted input from S according to the format string\n FORMAT, using the argument list in ARG.\n Return the number of assignments made, or -1 for an input error. */\n@@ -804,7 +817,8 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t && *strptr + strsize - str <= MB_LEN_MAX)\n \t\t {\n \t\t /* We have to enlarge the buffer if the `m' flag\n-\t\t\t was given. */\n+\t\t\t was given. And we may not expand str by width\n+\t\t\t as the wcrtomb may return various bytes */\n \t\t size_t strleng = str - *strptr;\n \t\t char *newstr;\n \n@@ -854,9 +868,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t && (char *) str == *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t size_t newsize\n-\t\t\t = strsize\n-\t\t\t + (strsize >= width ? width - 1 : strsize);\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 0);\n \n \t\t\t str = (char *) realloc (*strptr, newsize);\n \t\t\t if (str == NULL)\n@@ -928,8 +940,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t if ((flags & MALLOC)\n \t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n-\t\t size_t newsize\n-\t\t\t= strsize + (strsize > width ? width - 1 : strsize);\n+\t\t size_t newsize = grow_to_fit (strsize, width, 0);\n \t\t /* Enlarge the buffer. */\n \t\t wstr = (wchar_t *) realloc (*strptr,\n \t\t\t\t\t\t newsize * sizeof (wchar_t));\n@@ -983,8 +994,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\tif (!(flags & SUPPRESS) && (flags & MALLOC)\n \t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n-\t\t size_t newsize\n-\t\t = strsize + (strsize > width ? width - 1 : strsize);\n+\t\t size_t newsize = grow_to_fit (strsize, width, 0);\n \t\t /* Enlarge the buffer. */\n \t\t wstr = (wchar_t *) realloc (*strptr,\n \t\t\t\t\t\tnewsize * sizeof (wchar_t));\n@@ -1099,7 +1109,8 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t&& *strptr + strsize - str <= MB_LEN_MAX)\n \t\t {\n \t\t\t/* We have to enlarge the buffer if the `a' or `m'\n-\t\t\t flag was given. */\n+\t\t\t flag was given. And we may not expand str by\n+\t\t\t width as the wcrtomb may return various bytes */\n \t\t\tsize_t strleng = str - *strptr;\n \t\t\tchar *newstr;\n \n@@ -1157,7 +1168,8 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t && (char *) str == *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t str = (char *) realloc (*strptr, 2 * strsize);\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n+\t\t\t str = (char *) realloc (*strptr, newsize);\n \t\t\t if (str == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -1189,7 +1201,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t {\n \t\t\t *strptr = (char *) str;\n \t\t\t str += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t\t}\n \t\t }\n@@ -1287,9 +1299,10 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t&& wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n \t\t\t/* Enlarge the buffer. */\n-\t\t\twstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize)\n-\t\t\t\t\t\t * sizeof (wchar_t));\n+\t\t\tsize_t newsize = grow_to_fit (strsize, width, 1);\n+\n+\t\t\twstr = (wchar_t *) realloc (\n+\t\t\t *strptr, newsize * sizeof (wchar_t));\n \t\t\tif (wstr == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -1323,7 +1336,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t {\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t }\n \t\t }\n@@ -1363,9 +1376,10 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t {\n \t\t /* Enlarge the buffer. */\n+\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n+\n \t\t wstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize\n-\t\t\t\t\t\t * sizeof (wchar_t)));\n+\t\t\t\t\t\t newsize * sizeof (wchar_t));\n \t\t if (wstr == NULL)\n \t\t\t{\n \t\t\t /* Can't allocate that much. Last-ditch effort. */\n@@ -1398,7 +1412,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,\n \t\t\t{\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t}\n \t\t }\n \t\t}\n@@ -2755,9 +2769,10 @@ digits_extended_fail:\n \t\t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t wstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize)\n-\t\t\t\t\t\t * sizeof (wchar_t));\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n+\n+\t\t\t wstr = (wchar_t *) realloc (\n+\t\t\t *strptr, newsize * sizeof (wchar_t));\n \t\t\t if (wstr == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -2791,7 +2806,7 @@ digits_extended_fail:\n \t\t\t {\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t\t}\n \t\t }\n@@ -2840,9 +2855,10 @@ digits_extended_fail:\n \t\t\t && wstr == (wchar_t *) *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t wstr = (wchar_t *) realloc (*strptr,\n-\t\t\t\t\t\t (2 * strsize\n-\t\t\t\t\t\t * sizeof (wchar_t)));\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n+\n+\t\t\t wstr = (wchar_t *) realloc (\n+\t\t\t *strptr, newsize * sizeof (wchar_t));\n \t\t\t if (wstr == NULL)\n \t\t\t {\n \t\t\t /* Can't allocate that much. Last-ditch\n@@ -2876,7 +2892,7 @@ digits_extended_fail:\n \t\t\t {\n \t\t\t *strptr = (char *) wstr;\n \t\t\t wstr += strsize;\n-\t\t\t strsize *= 2;\n+\t\t\t strsize = newsize;\n \t\t\t }\n \t\t\t}\n \t\t }\n@@ -2984,7 +3000,9 @@ digits_extended_fail:\n \t\t if ((flags & MALLOC)\n \t\t\t && *strptr + strsize - str <= MB_LEN_MAX)\n \t\t\t{\n-\t\t\t /* Enlarge the buffer. */\n+\t\t\t /* Enlarge the buffer. And we may not\n+\t\t\t expand str by width as the wcrtomb may\n+\t\t\t return various bytes */\n \t\t\t size_t strleng = str - *strptr;\n \t\t\t char *newstr;\n \n@@ -3052,7 +3070,7 @@ digits_extended_fail:\n \t\t\t && (char *) str == *strptr + strsize)\n \t\t\t{\n \t\t\t /* Enlarge the buffer. */\n-\t\t\t size_t newsize = 2 * strsize;\n+\t\t\t size_t newsize = grow_to_fit (strsize, width, 1);\n \n \t\t\tallocagain:\n \t\t\t str = (char *) realloc (*strptr, newsize);\n","prefixes":["v4","2/2"]}