[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Two bugs in *scanf ?



Results from etrax LX, gcc; 2.96 20000427, devboard_lx-R1_0_0

One can't sscanf from a static buffer:

Example (I compile it with:
gcc_cris -mlinux -DCRISMMU -muclibc=/mnt/floppy/axis/devboard_lx/eroot -Wall -g -I/mnt/floppy/axis/devboard_lx/eroot/include file.c):

#include <stdio.h>

int main(int argc, char **argv)
{
  unsigned int a, b;

  printf("%i\n", sscanf("1 2", "%u %u", &a, &b));
  printf("%u %u\n", a, b);
  exit(0);
}

crashes with a segfault inside the vfscanf call. Seems the problem is
that vfscanf calls ungetc at the end of the string (getc returns NUL)
and ungetc really tries to write to the string (which is unreadable).
One could perhaps change the flags on the fp so it will abort the
ungetc call (__MODE_ERR ?).

--------------------------

Next example just crashes:

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  unsigned int a, b;
  char buff[100];
  strcpy(buff, "$GPGGA,095524.0,5803.554,N,01149.150,E,1,07,1.33,00015,M,040,M,,*56");
  
  printf("%i\n", sscanf(buff, "$GPGGA,%*[^,],%*[^,],%*c,%*[^,],%*c,%u,%u,%*[^,],%*[^,],%*[^,],%*[^,],%*[^,],%*[^,],%*[^*]*", &a, &b));
  printf("%u %u\n", a, b);
  exit(0);
}

Seems sscanf doesn't store the unsigned integers to a and b correctly.

When the first number is to be stored (n=1 around line 320 in scanf.c):
*va_arg(ap, long*) = n;

ap points to 0x4ffffe54, but it should point to &a == 0x4ffffeb4

seems va_arg is sometimes used even when store == 0.

I added a if(store)  before each va_arg call and then this piece
of code works, but I have not tested anything else...

/Sebastian