Re: [PATCH 3/4] lib/vsprintf: use int for field_width in vsscanf()

Next message: Mark Brown: "linux-next: Tree for Mar 31"
Previous message: Frank Li: "Re: [RFC PATCH 1/7] media: v4l2-ctrls: Add V4L2_CID_MEMORY_USAGE control"
In reply to: Andy Shevchenko: "Re: [PATCH 3/4] lib/vsprintf: use int for field_width in vsscanf()"
Next in thread: David Laight: "Re: [PATCH 3/4] lib/vsprintf: use int for field_width in vsscanf()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Petr Mladek

Date: Tue Mar 31 2026 - 10:33:53 EST

On Wed 2026-03-25 14:00:17, Andy Shevchenko wrote:
> On Tue, Mar 24, 2026 at 10:49:39PM +0000, Josh Law wrote:
> > vsscanf() declares field_width as s16 but assigns it from skip_atoi()
> > which returns int. Values above 32767 silently truncate to negative,
> > causing vsscanf() to abort all remaining parsing. This is inconsistent
> > with struct printf_spec which uses int for field_width.
>
> Is the field_width an acceptable integer range by the specifications?

I am not sure what is allowed by specification. Anyway, the code is
not ready for a bigger values, for example:

case 's':
{
char *s = (char *)va_arg(args, char *);
if (field_width == -1)
field_width = SHRT_MAX;

clearly expects signed short int range.

I wonder if it might even open some backdoor. The code matching
as sequence of characters expects a defined field width, see

case '[':
{
[...]
/* field width is required */
if (field_width == -1)
return num;

The current code limits valid field width values to positive ones,
aka SHRT_MAX which is clearly much lover than INT_MAX. And it might
prevent some out of bound access.

Best Regards,
Petr