Don't accept exp char without preceding digits in scanf float parsing

diff --git a/ChangeLog b/ChangeLog
index 6313627..c64d690 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2013-04-11  Andreas Schwab  <schwab@suse.de>
 
+       [BZ #13988]
+       * stdio-common/vfscanf.c (_IO_vfwscanf): When parsing a float
+       accept exponent character only when digits were seen.
+       * stdio-common/Makefile (tests): Add bug26.
+       * stdio-common/bug26.c: New file.
+
        [BZ #14293]
        * elf/dl-load.c (_dl_init_paths): Mark decomposed RUNPATH as
        non-freeable.

diff --git a/NEWS b/NEWS
index 639b1f0..66efb82 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,12 +9,12 @@ Version 2.18
 
 * The following bugs are resolved with this release:
 
-  10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 14142,
-  14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812, 14920,
-  14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, 15023,
-  15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, 15283,
-  15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, 15336,
-  15337, 15342, 15346.
+  10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 13988,
+  14142, 14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812,
+  14920, 14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020,
+  15023, 15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234,
+  15283, 15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335,
+  15336, 15337, 15342, 15346.
 
 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
   #15078).

diff --git a/stdio-common/Makefile b/stdio-common/Makefile
index f64a8ba..658804b 100644 (file)
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
         bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
         scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
         bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \
-        bug25 tst-printf-round
+        bug25 tst-printf-round bug26
 
 test-srcs = tst-unbputc tst-printf
 

diff --git a/stdio-common/bug26.c b/stdio-common/bug26.c
new file mode 100644 (file)
index 0000000..a4c6bce
--- /dev/null
+++ b/stdio-common/bug26.c
@@ -0,0 +1,37 @@
+/* Copyright (C) 2013 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <stdio.h>
+#include <string.h>
+
+int
+main (void)
+{
+  FILE *f;
+  int lost = 0;
+  int c;
+  double d;
+  char s[] = "+.e";
+
+  f = fmemopen (s, strlen (s), "r");
+  /* This should fail to parse a float and leave 'e' in the input.  */
+  lost |= (fscanf (f, "%f", &d) != 0);
+  c = fgetc (f);
+  lost |= c != 'e';
+  puts (lost ? "Test FAILED!" : "Test succeeded.");
+  return lost;
+}

diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index 9b5c4a9..82f7eee 100644 (file)
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -222,7 +222,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
   /* Errno of last failed inchar call.  */
   int inchar_errno = 0;
   /* Status for reading F-P nums.  */
-  char got_dot, got_e, negative;
+  char got_digit, got_dot, got_e, negative;
   /* If a [...] is a [^...].  */
   CHAR_T not_in;
 #define exp_char not_in
@@ -1845,7 +1845,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
          if (__builtin_expect (c == EOF, 0))
            input_error ();
 
-         got_dot = got_e = 0;
+         got_digit = got_dot = got_e = 0;
 
          /* Check for a sign.  */
          if (c == L_('-') || c == L_('+'))
@@ -1971,13 +1971,19 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
          while (1)
            {
              if (ISDIGIT (c))
-               ADDW (c);
+               {
+                 ADDW (c);
+                 got_digit = 1;
+               }
              else if (!got_e && (flags & HEXA_FLOAT) && ISXDIGIT (c))
-               ADDW (c);
+               {
+                 ADDW (c);
+                 got_digit = 1;
+               }
              else if (got_e && wp[wpsize - 1] == exp_char
                       && (c == L_('-') || c == L_('+')))
                ADDW (c);
-             else if (wpsize > 0 && !got_e
+             else if (got_digit && !got_e
                       && (CHAR_T) TOLOWER (c) == exp_char)
                {
                  ADDW (exp_char);