From 6ecec3b616aeaf121c68c1053cd17fdcf0cdb5a2 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Mon, 14 Jan 2013 17:32:20 +0100
Subject: [PATCH] Don't accept exp char without preceding digits in scanf float
 parsing

---
 ChangeLog              |  6 ++++++
 NEWS                   | 12 ++++++------
 stdio-common/Makefile  |  2 +-
 stdio-common/bug26.c   | 37 +++++++++++++++++++++++++++++++++++++
 stdio-common/vfscanf.c | 16 +++++++++++-----
 5 files changed, 61 insertions(+), 12 deletions(-)
 create mode 100644 stdio-common/bug26.c

diff --git a/ChangeLog b/ChangeLog
index 6313627eb6..c64d69006c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2013-04-11  Andreas Schwab  <schwab@suse.de>
 
+	[BZ #13988]
+	* stdio-common/vfscanf.c (_IO_vfwscanf): When parsing a float
+	accept exponent character only when digits were seen.
+	* stdio-common/Makefile (tests): Add bug26.
+	* stdio-common/bug26.c: New file.
+
 	[BZ #14293]
 	* elf/dl-load.c (_dl_init_paths): Mark decomposed RUNPATH as
 	non-freeable.
diff --git a/NEWS b/NEWS
index 639b1f027f..66efb82dfd 100644
--- a/NEWS
+++ b/NEWS
@@ -9,12 +9,12 @@ Version 2.18
 
 * The following bugs are resolved with this release:
 
-  10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 14142,
-  14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812, 14920,
-  14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, 15023,
-  15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, 15283,
-  15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, 15336,
-  15337, 15342, 15346.
+  10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 13988,
+  14142, 14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812,
+  14920, 14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020,
+  15023, 15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234,
+  15283, 15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335,
+  15336, 15337, 15342, 15346.
 
 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
   #15078).
diff --git a/stdio-common/Makefile b/stdio-common/Makefile
index f64a8ba2d9..658804bbe8 100644
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
 	 bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
 	 scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
 	 bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \
-	 bug25 tst-printf-round
+	 bug25 tst-printf-round bug26
 
 test-srcs = tst-unbputc tst-printf
 
diff --git a/stdio-common/bug26.c b/stdio-common/bug26.c
new file mode 100644
index 0000000000..a4c6bce939
--- /dev/null
+++ b/stdio-common/bug26.c
@@ -0,0 +1,37 @@
+/* Copyright (C) 2013 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <stdio.h>
+#include <string.h>
+
+int
+main (void)
+{
+  FILE *f;
+  int lost = 0;
+  int c;
+  double d;
+  char s[] = "+.e";
+
+  f = fmemopen (s, strlen (s), "r");
+  /* This should fail to parse a float and leave 'e' in the input.  */
+  lost |= (fscanf (f, "%f", &d) != 0);
+  c = fgetc (f);
+  lost |= c != 'e';
+  puts (lost ? "Test FAILED!" : "Test succeeded.");
+  return lost;
+}
diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index 9b5c4a9c88..82f7eee192 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -222,7 +222,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
   /* Errno of last failed inchar call.  */
   int inchar_errno = 0;
   /* Status for reading F-P nums.  */
-  char got_dot, got_e, negative;
+  char got_digit, got_dot, got_e, negative;
   /* If a [...] is a [^...].  */
   CHAR_T not_in;
 #define exp_char not_in
@@ -1845,7 +1845,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 	  if (__builtin_expect (c == EOF, 0))
 	    input_error ();
 
-	  got_dot = got_e = 0;
+	  got_digit = got_dot = got_e = 0;
 
 	  /* Check for a sign.  */
 	  if (c == L_('-') || c == L_('+'))
@@ -1971,13 +1971,19 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 	  while (1)
 	    {
 	      if (ISDIGIT (c))
-		ADDW (c);
+		{
+		  ADDW (c);
+		  got_digit = 1;
+		}
 	      else if (!got_e && (flags & HEXA_FLOAT) && ISXDIGIT (c))
-		ADDW (c);
+		{
+		  ADDW (c);
+		  got_digit = 1;
+		}
 	      else if (got_e && wp[wpsize - 1] == exp_char
 		       && (c == L_('-') || c == L_('+')))
 		ADDW (c);
-	      else if (wpsize > 0 && !got_e
+	      else if (got_digit && !got_e
 		       && (CHAR_T) TOLOWER (c) == exp_char)
 		{
 		  ADDW (exp_char);
-- 
2.11.4.GIT