Commit Graph

31 Commits

Author SHA1 Message Date
Takashi Yano 3d94e07c49 newlib: libc: Fix crash on fprintf to a wide-oriented stream.
Previously, fprintf() on a wide-oriented stream crashes or outputs
garbage. This is because a narrow char string which can be odd bytes
in length is cast into a wide char string which should be even
bytes in length in __sprint_r/__sfputs_r based on the __SWID flag.
As a result, if the length is odd bytes, the reading buffer runs over
the buffer length, which causes a crash. If the length is even bytes,
garbage is printed.

With this patch, any output to the stream which is set to different
orientation fails with error just like glibc. Note that it behaves
differently from other libc implementations such as BSD, musl and
Solaris.

Reviewed-by: Corinna Vinschen <corinna@vinschen.de>
Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>
2023-11-10 00:36:41 +09:00
Matt Joyce f3b8138239 Add _REENT_ERRNO(ptr)
Add a _REENT_ERRNO() macro to encapsulate the access to the
_errno member of struct reent. This will help to replace the
structure member with a thread-local storage object in a follow
up patch.

Replace uses of __errno_r() with _REENT_ERRNO().  Keep __errno_r() macro for
potential users outside of Newlib.
2022-07-13 06:55:41 +02:00
Keith Packard cf86601d98 svfwscanf: Simplify _sungetwc_r to eliminate apparent buffer overflow
svfwscanf replaces getwc and ungetwc_r. The comments in the code talk
about avoiding file operations, but they also need to bypass the
mbtowc calls as svfwscanf operates on wchar_t, not multibyte data,
which is a more important reason here; they would not work correctly
otherwise.

The ungetwc replacement has code which uses the 3 byte FILE _ubuf
field, but if wchar_t is 32-bits, this field is not large enough to
hold even one wchar_t value. Building in this mode generates warnings
about array overflow:

	In file included from ../../newlib/libc/stdio/svfiwscanf.c:35:
	../../newlib/libc/stdio/vfwscanf.c: In function '_sungetwc_r.isra':
	../../newlib/libc/stdio/vfwscanf.c:316:12: warning: array subscript 4294967295 is above array bounds of 'unsigned char[3]' [-Warray-bounds]
	  316 |   fp->_p = &fp->_ubuf[sizeof (fp->_ubuf) - sizeof (wchar_t)];
	      |            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	In file included from ../../newlib/libc/stdio/stdio.h:46,
			 from ../../newlib/libc/stdio/vfwscanf.c:82,
			 from ../../newlib/libc/stdio/svfiwscanf.c:35:
	../../newlib/libc/include/sys/reent.h:216:17: note: while referencing '_ubuf'
	  216 |   unsigned char _ubuf[3]; /* guarantee an ungetc() buffer */
	      |                 ^~~~~

However, the vfwscanf code *never* ungets data before the start of the
scanning operation, and *always* ungets data which matches the input
at that point, so the code always hits the block which backs up over
the input data and never hits the block which uses the _ubuf field.

In addition, the svfwscanf code will always start with the unget
buffer empty, so the ungetwc replacement never needs to support an
unget buffer at all.

Simplify the code by removing support for everything other than
backing up over the input data, leaving the check to make sure it
doesn't get underflowed in case the vfscanf code has a bug in it.

Signed-off-by: Keith Packard <keithp@keithp.com>
2021-08-18 10:37:24 +02:00
Keith Packard 9042d0ce65 Use remove-advertising-clause script to edit BSD licenses
This edits licenses held by Berkeley and NetBSD, both of which
have removed the advertising requirement from their licenses.

Signed-off-by: Keith Packard <keithp@keithp.com>
2020-01-29 19:03:31 +01:00
Lucio Andrés Illanes Albornoz d5daede26c Fix vfwscanf(3) assignment suppression flag handling bug
newlib's vfwscanf(3) (or specifically, __SVFWSCANF_R()) fails to correctly set
the assignment-suppressing character (`*') flag[1] which, when present in the
formatting string, results in undefined behaviour comprising retrieving and
dereferencing a pointer that was not supplied by the caller as such or at all.
When compared to the vfscanf(3) implementation, this would appear to be over
the missing goto match_failure statement preceded by the flags test seen below.
Hence, this patch (re)introduces it.

[1] <http://pubs.opengroup.org/onlinepubs/009695399/functions/fwscanf.html>

--
2019-06-03 10:38:40 +02:00
Keith Packard 2c245028af Use nanf("") instead of nanf(NULL)
Newer GCC versions require a non-NULL argument to this function for
some reason.

Signed-off-by: Keith Packard <keithp@keithp.com>
2018-08-29 15:57:27 +02:00
Yaakov Selkowitz 9087163804 ansification: remove _DEFUN
Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
2018-01-17 11:47:26 -06:00
Yaakov Selkowitz e6321aa6a6 ansification: remove _PTR
Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
2018-01-17 11:47:16 -06:00
Yaakov Selkowitz eea249da3b ansification: remove _PARAMS
Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
2018-01-17 11:47:13 -06:00
Yaakov Selkowitz 0bda30e1ff ansification: remove _CONST
Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
2018-01-17 11:47:08 -06:00
Yaakov Selkowitz 6783860a2e ansification: remove _AND
Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
2018-01-17 11:47:05 -06:00
Corinna Vinschen 67e628fa33 newlib: vfwscanf: fix negation bug in %[ conversion
Old BSD bug:  While ^ is recognized and the set of matching characters
is negated, the code neglects to increment the pointer pointing to the
matching characters.  Thus, on a negation expression like %[^xyz], the
matching doesn't only stop at x, y, or z, but incorrectly also on ^.

Fix this by setting the start pointer after recognizing the ^.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-12-04 17:05:11 +01:00
Corinna Vinschen a49209d2bc newlib: vf[w]scanf: Fix conversion multibyte <-> wchar_t
* vfscanf: per POSIX, if the target type is wchar_t, the width is
  counted in (multibyte) characters, not in bytes.

* vfscanf: Handle UTF-8 multibyte sequences converted to surrogate
  pairs on UTF-16 systems.

* vfwscanf: Don't count high surrogates in input against field width
  counting.  Per POSIX, input is

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-12-01 17:18:26 +01:00
Corinna Vinschen 9638c07527 newlib: vf[w]scanf: Drop width computation mixup
The width value keeps the maximum field width.  This is the maximum
field width of the *input*.  It's *never* to be used in conjunction
with the number of bytes or characters written to the output argument.

However, especially in vfwscanf, the code is partially taken from
NetBSD which erroneously subtracts the number of multibyte chars
written to the argument from the width variable, thus potentially
subtracting up to MB_CUR_MAX from width for a single character in
the input stream.

To make matters worse, the previous patch adding %m added basically
the same mistake for 'c' type input.

Fix it.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-12-01 13:47:26 +01:00
Yaakov Selkowitz c7ef9668cf stdio: remove TRAD_SYNOPSIS
Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
2017-12-01 03:41:51 -06:00
Corinna Vinschen d43863f569 newlib: vf[w]scanf: Implement POSIX %m modifier
* The new code is guarded with _WANT_IO_POSIX_EXTENSIONS, but
  this is automatically enabled with _WANT_IO_C99_FORMATS for now.

* vfscanf neglects to implement %l[, so %ml[ is not implemented yet
  either.

* Sidenote: vfwscanf doesn't allow ranges in %[ yet.  Strictly this
  is allowed per POSIX, but it differes from vfscanf as well as from
  glibc.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-30 21:50:23 +01:00
Corinna Vinschen 7161622514 newlib: vfwscanf: fix miscomputation of max field width in %[] case
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-30 21:02:38 +01:00
Corinna Vinschen 0fd2c9bd12 newlib: vf[w]scanf: add validity checks
POSIX requires that directive characters appear in a certain sequence:

1. '%' or '%<n>$'
2. optional '*'
3. optional field width digits
4. optional 'm' (not yet implemented)
5. optional length modifier ('l', 'L', 'll', 'h', 'hh', 'j', 't', 'z')
6. conversion specifier ('d', 's', etc)

Add a few basic validity checks to that effect, otherwise reject
directive as match failure.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-30 11:55:27 +01:00
Corinna Vinschen 31f11d0572 newlib: vf[w]scanf: Use SIZE_MAX rather than ~0
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-30 11:41:36 +01:00
Corinna Vinschen 2e328edee4 newlib: vf[w]scanf: Only return from a single point to simplify cleanup
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-30 11:41:36 +01:00
Corinna Vinschen 1bbdb3c953 newlib: [w]scanf: Fix behaviour on matching failure
The special handling of %\0 in [w]scanf is flawed.  It's just a
matching failure and should be handled as such.  scanf also
fakes an int input value on %X with X being an invalid conversion
char.  This is also just a matching failure and should be handled
the same way as %\0.

There's no indication of the reason for this "disgusting
backwards compatibility hacks" in the logs, given this
code made it into newlib before setting up the CVS repo.

Just handle these cases identically as matching failures.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-29 15:01:30 +01:00
Corinna Vinschen 941df759a2 Fix a potential buffer overflow in wscanf family
Fixes Coverity CID 60046

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-10-22 21:43:28 +02:00
Corinna Vinschen 88208d3735 POSIX-1.2008 per-thread locales, groundwork part 2
Move all locale category structure definitions into setlocale.h and remove
other headers in locale subdir.  Create inline accessor functions for
current category struct pointers and use throughout.  Use pointers to
"C" locale category structs by default in __global_locale.

Signed-off by: Corinna Vinschen <corinna@vinschen.de>
2016-08-15 10:56:56 +02:00
Shoichi Sakon 001ef5af39 Fix wscanf family positional parameter handling in %lc, %ls, %l[]
* libc/stdio/vfwscanf.c (__SVFWSCANF_R): Convert wrong usage of va_arg
        to GET_ARG in %lc, %ls nad %l[] cases.  Fix unterminated string in %l[]
        case.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-08-03 21:51:35 +02:00
Corinna Vinschen 281924766d * libc/stdio/vfwscanf.c (__SVFWSCANF_R): Fix fetching decimal_point in
!_MB_CAPABLE as well as in !__HAVE_LOCALE_INFO_EXTENDED__ case.
2013-12-19 18:50:00 +00:00
Corinna Vinschen 576b7804d6 * vfscanf.c (BUF): Change definition to take multibyte decimal point
into account.
	(__SVFSCANF_R): Handle radix char language-dependent
	per POSIX.
	(__SVFWSCANF_R): Ditto.
2013-12-18 19:23:33 +00:00
Joel Sherrill 380c9f6165 2013-11-26 Julio Gutierrez <jgutleyva@gmail.com>
*libc/include/wchar.h: Add restrict keyword.
	*libc/stdio/fgetws.c (fgetws): ditto.
	*libc/stdio/fputws.c (fputws): ditto.
	*libc/stdio/fwprintf.c (fwprintf): ditto.
	*libc/stdio/fwscanf.c (fwscanf): ditto.
	*libc/stdio/swprintf.c (swprintf): ditto.
	*libc/stdio/swscanf.c (swscanf): ditto.
	*libc/stdio/vfwprintf.c (vfwprintf): ditto.
	*libc/stdio/vfwscanf.c (vfwscanf): ditto.
	*libc/stdio/vswprintf.c (vswprintf): ditto.
	*libc/stdio/vswscanf.c (vswscanf): ditto.
	*libc/stdio/vwprintf.c (vwprintf): ditto.
	*libc/stdio/vwscanf.c (vwscanf): ditto.
	*libc/stdio/wprintf.c (wprintf): ditto.
	*libc/stdio/wscanf.c (wscanf): ditto.
	*libc/stdlib/mbrlen.c (mbrlen): ditto.
	*libc/stdlib/mbrtowc.c (mbrtowc): ditto.
	*libc/stdlib/mbsnrtowcs.c (mbsnrtowcs): ditto.
	*libc/stdlib/mbsrtowcs.c (mbsrtowcs): ditto.
	*libc/stdlib/wcrtomb.c (wcrtomb): ditto.
	*libc/stdlib/wcsnrtombs.c (wcsnrtombs): ditto.
	*libc/stdlib/wcsrtombs.c (wcsrtombs): ditto.
	*libc/stdlib/wcstod.c (wcstod): ditto.
	*libc/stdlib/wcstol.c (wcstol): ditto.
	*libc/stdlib/wcstold.c (wcstold): ditto.
	*libc/stdlib/wcstoll.c (wcstoll): ditto.
	*libc/stdlib/wcstoul.c (wcstoul): ditto.
	*libc/stdlib/wcstoull.c (cstoull): ditto.
	*libc/string/wcpcpy.c (wcpcpy): ditto.
	*libc/string/wcpncpy.c (wcpncpy): ditto.
	*libc/string/wcscat.c (wcscat): ditto.
	*libc/string/wcscpy.c (wcscpy): ditto.
	*libc/string/wcsncat.c (wcsncat): ditto.
	*libc/string/wcsncpy.c (wcsncpy): ditto.
	*libc/string/wcsstr.c (wcsstr): ditto.
	*libc/string/wcstok.c (wcstok): ditto.
	*libc/string/wcsxfrm.c (wcsxfrm): ditto.
	*libc/string/wmemcpy.c (wmemcpy): ditto.
2013-11-26 17:21:01 +00:00
Jeff Johnston b334e6660a 2013-04-29 Sebastian Huber <sebastian.huber@embedded-brains.de>
* libc/stdio/local.h (CHECK_INIT): Evaluate argument only once.
	(CHECK_STD_INIT): Likewise.
	* libc/stdio/fgetc.c (fgetc): Use local variable for _REENT.
	* libc/stdio/fgetwc.c (fwgetc): Likewise.
	* libc/stdio/fgetws.c (fgetws): Likewise.
	* libc/stdio/fputc.c (fputc): Likewise.
	* libc/stdio/fputwc.c (fputwc): Likewise.
	* libc/stdio/fputws.c (fputws): Likewise.
	* libc/stdio/getc.c (getc): Likewise.
	* libc/stdio/getchar.c (_getchar_r): Likewise.
	* libc/stdio/putc.c (putc): Likewise.
	* libc/stdio/putchar.c (putchar): Likewise.
	* libc/stdio/scanf.c (scanf): Likewise.
	* libc/stdio/setvbuf.c (setvbuf): Likewise.
	* libc/stdio/ungetwc.c (ungetwc): Likewise.
	* libc/stdio/vfscanf.c (VFSCANF): Likewise.
	* libc/stdio/vfwscanf.c (VFWSCANF): Likewise.
	* libc/stdio/viprintf.c (viprintf): Likewise.
	* libc/stdio/viscanf.c (viscanf): Likewise.
	* libc/stdio/vprintf.c (vprintf): Likewise.
	* libc/stdio/vscanf.c (vscanf): Likewise.
	* libc/stdio/vwprintf.c (vwprintf): Likewise.
	* libc/stdio/vwscanf.c (vwscanf): Likewise.
	* libc/stdio/wscanf.c (wscanf): Likewise.
	* libc/stdlib/ecvtbuf.c (fcvtbuf): Likewise.
	(fcvtbuf): Likewise.
	(ecvtbuf): Likewise.
	(ecvtbuf): Likewise.
	* libc/stdlib/mblen.c (mblen): Likewise.
	* libc/stdlib/mbrlen.c (mbrlen): Likewise.
	* libc/stdlib/mbrtowc.c (mbrtowc): Likewise.
	* libc/stdlib/mbtowc.c (mbtowc): Likewise.
	* libc/stdlib/rand.c (srand): Likewise.
	(rand): Likewise.
	* libc/stdlib/wcrtomb.c (wcrtomb): Likewise.
	* libc/stdlib/wctob.c (wctob): Likewise.
	* libc/stdlib/wctomb.c (wctomb): Likewise.
	* libc/string/strtok.c (strtok): Likewise.
	* libc/time/asctime.c (asctime): Likewise.
	* libc/time/gmtime.c (gmtime): Likewise.
	* libc/time/lcltime.c (lcltime): Likewise.
2013-04-29 21:06:23 +00:00
Corinna Vinschen 4aa28d8ae2 * libc/stdio/local.h (_newlib_flockfile_start): New macro to
secure stream related critical section against thread cancellation.
	(_newlib_flockfile_exit): Ditto.
	(_newlib_sfp_lock_end): Ditto.
	(_newlib_sfp_lock_start): Ditto for the list of streams.
	(_newlib_sfp_lock_exit): Ditto.
	(_newlib_sfp_lock_end): Ditto.
	Use aforementioned macros in place of _flockfile/_funlockfile
	and __sfp_lock_acquire/__sfp_lock_release throughout the code.
	* libc/stdio/fclose.c: Explicitely disable and re-enable thread
	cancellation.  Explain why.
	* libc/stdio/freopen.c: Ditto.
	* libc/stdio64/freopen64.c: Ditto.
2012-05-30 08:58:42 +00:00
Corinna Vinschen 656df313e0 * libc/stdio/fclose.c: Only use sfp lock to guard non-atomic
changes of flags and fp lock.
	* libc/stdio/freopen.c: Ditto.
	* libc/stdio/freopen64.c: Ditto.
	* libc/stdio/fgetc.c: Revert change from 2009-04-24, remove sfp locks
	which guard entire function to avoid potential deadlocks when using
	stdio functions in multiple thraeds.
	* libc/stdio/fgets.c: Ditto.
	* libc/stdio/fgetwc.c: Ditto.
	* libc/stdio/fgetws.c: Ditto.
	* libc/stdio/fread.c: Ditto.
	* libc/stdio/fseek.c: Ditto.
	* libc/stdio/getc.c: Ditto.
	* libc/stdio/getdelim.c: Ditto.
	* libc/stdio/gets.c: Ditto.
	* libc/stdio/vfscanf.c: Ditto.
	* libc/stdio/vfwscanf.c: Ditto.

	* libc/stdio/fflush.c (_fflush_r): Split out core functionality into
	new function __sflush_r.  Just lock file and call __sflush_r from here.
	* libc/stdio/fwalk.c (_fwalk): Remove static helper function and move
	functionality back into main function. Don't walk a file with flags
	value of 1.  Add comment.
	(_fwalk_reent): Ditto.
	* libc/stdio/local.h (__sflush_r): Declare.
	* libc/stdio/refill.c (__srefill): Before calling fwalk, set flags
	value to 1 so this file pointer isn't walked.  Revert flags afterwards
	and call __sflush_r for this fp if necessary.  Add comments.
2011-01-28 10:49:11 +00:00
Corinna Vinschen d0b85c158f * libc/include/wchar.h (fwscanf, swscanf, vfwscanf, vswscanf, vwscanf,
wscanf): Declare.
	(_fwscanf_r, _swscanf_r, _vfwscanf_r, _vswscanf_r, _vwscanf_r,
	_wscanf_r): Declare.
	* libc/stdio/Makefile.am: Add new wscanf files.
	* libc/stdio/Makefile.in: Regenerate.
	* libc/stdio/fwscanf.c: New file.
	* libc/stdio/local.h (__svfwscanf_r, __ssvfwscanf_r, __svfiwscanf_r,
	__ssvfiwscanf_r): Declare.
	* libc/stdio/stdio.tex: Add new documentation references.
	* libc/stdio/swscanf.c: New file.
	* libc/stdio/vfwscanf.c: New file.
	* libc/stdio/vswscanf.c: New file.
	* libc/stdio/vwscanf.c: New file.
	* libc/stdio/wscanf.c: New file.

	* libc/stdio/vfscanf.c (_sungetc_r): Make externaly available.  Only
	define if INTEGER_ONLY is defined.  Declare otherwise.
	(__ssrefill_r): Ditto.
	(_sfread_r): Ditto.

	Remove static eofread/eofread1 functions and use __seofread
	function instead, throughout.
	* libc/stdio/local.h (__seofread): Declare.
	* libc/stdio/stdio.c (__seofread): Define.

	* libc/stdio/fgetwc.c (__fgetwc): Fix compiler warning.
	* libc/stdio/fgetws.c (_fgetws_r): Ditto.
	* libc/stdio/fread.c (_fread_r): Ditto.
	* libc/stdio/vfprintf.c: Ditto.
	* libc/stdio/vswprintf.c: Ditto.
2009-03-11 11:53:22 +00:00