summaryrefslogtreecommitdiff
path: root/src/stdio/vfscanf.c
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2013-07-20 00:21:11 -0400
committerRich Felker <dalias@aerifal.cx>2013-07-20 00:21:11 -0400
commit1d92cddb1e1ed4b6cc0e55461727561e7a2522e0 (patch)
treed4f7a600da055639ac71aa28463d862d04fc91d7 /src/stdio/vfscanf.c
parent8389520ed5ad6f0033d6426e21ef653fa5ca26a4 (diff)
downloadmusl-1d92cddb1e1ed4b6cc0e55461727561e7a2522e0.tar.gz
musl-1d92cddb1e1ed4b6cc0e55461727561e7a2522e0.tar.bz2
musl-1d92cddb1e1ed4b6cc0e55461727561e7a2522e0.tar.xz
musl-1d92cddb1e1ed4b6cc0e55461727561e7a2522e0.zip
fix uninitialized/stale use of alloc (%m modifier) flag in scanf
for conversion specifiers, alloc is always set when the specifier is parsed. however, if scanf stops due to mismatching literal text, either an uninitialized (if no conversions have been performed yet) or stale (from the previous conversion) of the flag will be used, possibly causing an invalid pointer to be passed to free when the function returns.
Diffstat (limited to 'src/stdio/vfscanf.c')
-rw-r--r--src/stdio/vfscanf.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/stdio/vfscanf.c b/src/stdio/vfscanf.c
index bb928480..68c8e2cf 100644
--- a/src/stdio/vfscanf.c
+++ b/src/stdio/vfscanf.c
@@ -81,6 +81,8 @@ int vfscanf(FILE *restrict f, const char *restrict fmt, va_list ap)
for (p=(const unsigned char *)fmt; *p; p++) {
+ alloc = 0;
+
if (isspace(*p)) {
while (isspace(p[1])) p++;
shlim(f, 0);