Do not let scanf("%4p") accept "(nil)". Fixes bug 16055

ChangeLog

@@ -1,3 +1,10 @@
+2013-11-07  Ondřej Bílka  <neleai@seznam.cz>
+
+	[BZ #16055]
+	* stdio-common/vfscanf.c (_IO_vfscanf_internal): Limit width
+	when we match (nil).
+	* stdio-common/tst-sscanf.c (struct test): Add testcase.
+
 2013-11-16  Joseph Myers  <joseph@codesourcery.com>
 
 	* math/libm-test.inc (TEST_NAN_SIGN): New macro.

NEWS

@@ -17,8 +17,8 @@ Version 2.19
   15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, 15886,
   15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, 15919,
   15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, 16032,
-  16034, 16036, 16037, 16041, 16071, 16072, 16074, 16078, 16103, 16112,
-  16143, 16146, 16150, 16151, 16153, 16167, 16172.
+  16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, 16103,
+  16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172.
 
 * CVE-2012-4412 The strcoll implementation caches indices and rules for
   large collation sequences to optimize multiple passes.  This cache

stdio-common/tst-sscanf.c

@@ -92,6 +92,8 @@ struct test
   { L("foo bar"), L("foo bar"), 0 },
   { L("foo bar"), L("foo %d"), 0 },
   { L("foo bar"), L("foon%d"), 0 },
+  { L("foo (nil)"), L("foo %p"), 1},
+  { L("foo (nil)"), L("foo %4p"), 0},
   { L("foo "), L("foo %n"), 0 },
   { L("foo%bar1"), L("foo%%bar%d"), 1 },
   /* Some OSes skip whitespace here while others don't.  */

stdio-common/vfscanf.c

@@ -1757,7 +1757,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 		 we must recognize "(nil)" as well.  */
 	      if (__builtin_expect (wpsize == 0
 				    && (flags & READ_POINTER)
-				    && (width < 0 || width >= 0)
+				    && (width < 0 || width >= 5)
 				    && c == '('
 				    && TOLOWER (inchar ()) == L_('n')
 				    && TOLOWER (inchar ()) == L_('i')