picnoir/glibc
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
glibc/include/stdio.h
Zack Weinberg 03992356e6
Use C99-compliant scanf under _GNU_SOURCE with modern compilers. 
The only difference between noncompliant and C99-compliant scanf is
that the former accepts the archaic GNU extension '%as' (also %aS and
%a[...]) meaning to allocate space for the input string with malloc.
This extension conflicts with C99's use of %a as a format _type_
meaning to read a floating-point number; POSIX.1-2008 standardized
equivalent functionality using the modifier letter 'm' instead (%ms,
%mS, %m[...]).

The extension was already disabled in most conformance modes:
specifically, any mode that doesn't involve _GNU_SOURCE and _does_
involve either strict conformance to C99 or loose conformance to both
C99 and POSIX.1-2001 would get the C99-compliant scanf.  With
compilers new enough to use -std=gnu11 instead of -std=gnu89, or
equivalent, that includes the default mode.

With this patch, we now provide C99-compliant scanf in all
configurations except when _GNU_SOURCE is defined *and*
__STDC_VERSION__ or __cplusplus (whichever is relevant) indicates
C89/C++98.  This leaves the old scanf available under e.g. -std=c89
-D_GNU_SOURCE, but removes it from e.g. -std=gnu11 -D_GNU_SOURCE (it
was already not present under -std=gnu11 without -D_GNU_SOURCE) and
from -std=gnu89 without -D_GNU_SOURCE.

There needs to be an internal override so we can compile the
noncompliant scanf itself.  This is the same problem we had when we
removed 'gets' from _GNU_SOURCE and it's dealt with the same way:
there's a new __GLIBC_USE symbol, DEPRECATED_SCANF, which defaults to
off under the appropriate conditions for external code, but can be
overridden by individual files within stdio.

We also run into problems with PLT bypass for internal uses of sscanf,
because libc_hidden_proto uses __REDIRECT and so does the logic in
stdio.h for choosing which implementation of scanf to use; __REDIRECT
isn't transitive, so include/stdio.h needs to bridge the gap with a
macro.  As far as I can tell, sscanf is the only function in this
family that's internally called by unrelated code.

Finally, there are several tests in stdio-common that use the
extension.  bug21.c is a regression test for a crash; it still
exercises the relevant code when changed to use %ms instead of %as.
scanf14.c through scanf17.c are more complicated since they are
actually testing the subtleties of the extension - under what
circumstances is 'a' treated as a modifier letter, etc.  I changed all
of them to use %ms instead of %as as well, but duplicated scanf14.c
and scanf16.c as scanf14a.c and scanf16a.c.  These still use %as and
are compiled with -std=gnu89 to access the old extension.  A bunch of
diagnostic overrides and manual workarounds for the old stdio.h
behavior become unnecessary.  Yay!

	* include/features.h (__GLIBC_USE_DEPRECATED_SCANF): New __GLIBC_USE
	parameter.  Only use deprecated scanf when __USE_GNU is defined
	and __STDC_VERSION__ is less than 199901L or __cplusplus is less
	than 201103L, whichever is relevant for the language being compiled.

	* libio/stdio.h, libio/bits/stdio-ldbl.h: Decide whether to redirect
	scanf, fscanf, sscanf, vscanf, vfscanf, and vsscanf to their
	__isoc99_ variants based only on __GLIBC_USE (DEPRECATED_SCANF).
	* wcsmbs/wchar.h: wcsmbs/bits/wchar-ldbl.h: Likewise for
	wscanf, fwscanf, swscanf, vwscanf, vfwscanf, and vswscanf.

	* libio/iovsscanf.c
	* libio/fwscanf.c
	* libio/iovswscanf.c
	* libio/swscanf.c
	* libio/vscanf.c
	* libio/vwscanf.c
	* libio/wscanf.c
	* stdio-common/fscanf.c
	* stdio-common/scanf.c
	* stdio-common/vfscanf.c
	* stdio-common/vfwscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-compat.c
	* sysdeps/ieee754/ldbl-opt/nldbl-fscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-fwscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-iovfscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-scanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-sscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-swscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-vfscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-vfwscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-vscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-vsscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-vswscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-vwscanf.c
	* sysdeps/ieee754/ldbl-opt/nldbl-wscanf.c:
	Override __GLIBC_USE_DEPRECATED_SCANF to 1.

	* stdio-common/sscanf.c: Likewise.  Remove ldbl_hidden_def for __sscanf.
	* stdio-common/isoc99_sscanf.c: Add libc_hidden_def for __isoc99_sscanf.
	* include/stdio.h: Provide libc_hidden_proto for __isoc99_sscanf,
	not sscanf.
	[!__GLIBC_USE (DEPRECATED_SCANF)]: Define sscanf as __isoc99_scanf
	with a preprocessor macro.

	* stdio-common/bug21.c, stdio-common/scanf14.c:
	Use %ms instead of %as, %mS instead of %aS, %m[] instead of %a[];
	remove DIAG_IGNORE_NEEDS_COMMENT for -Wformat.
	* stdio-common/scanf16.c: Likewise.  Add __attribute__ ((format (scanf)))
	to xscanf, xfscanf, xsscanf.

	* stdio-common/scanf14a.c: New copy of scanf14.c which still uses
	%as, %aS, %a[].  Remove DIAG_IGNORE_NEEDS_COMMENT for -Wformat.
	* stdio-common/scanf16a.c: New copy of scanf16.c which still uses
	%as, %aS, %a[].  Add __attribute__ ((format (scanf))) to xscanf,
	xfscanf, xsscanf.
	* stdio-common/scanf15.c, stdio-common/scanf17.c: No need to
	override feature selection macros or provide definitions of u_char etc.
	* stdio-common/Makefile (tests): Add scanf14a and scanf16a.
	(CFLAGS-scanf15.c, CFLAGS-scanf17.c): Remove.
	(CFLAGS-scanf14a.c, CFLAGS-scanf16a.c): New.  Compile these files
	with -std=gnu89.
2019-01-03 11:12:39 -05:00

266 lines
9.8 KiB
C
Raw Blame History

#ifndef _STDIO_H
# if !defined _ISOMAC && defined _IO_MTSAFE_IO
# include <stdio-lock.h>
# endif
# include <libio/stdio.h>
# ifndef _ISOMAC
# define _LIBC_STDIO_H 1
# include <libio/libio.h>
/* Now define the internal interfaces. */
extern int __fcloseall (void) attribute_hidden;
extern int __snprintf (char *__restrict __s, size_t __maxlen,
const char *__restrict __format, ...)
__attribute__ ((__format__ (__printf__, 3, 4)));
libc_hidden_proto (__snprintf)
extern int __vfscanf (FILE *__restrict __s,
const char *__restrict __format,
__gnuc_va_list __arg)
__attribute__ ((__format__ (__scanf__, 2, 0)));
libc_hidden_proto (__vfscanf)
extern int __vscanf (const char *__restrict __format,
__gnuc_va_list __arg)
__attribute__ ((__format__ (__scanf__, 1, 0)));
extern __ssize_t __getline (char **__lineptr, size_t *__n,
FILE *__stream) attribute_hidden;
extern int __vsscanf (const char *__restrict __s,
const char *__restrict __format,
__gnuc_va_list __arg)
__attribute__ ((__format__ (__scanf__, 2, 0)));
extern int __sprintf_chk (char *, int, size_t, const char *, ...) __THROW;
extern int __snprintf_chk (char *, size_t, int, size_t, const char *, ...)
__THROW;
extern int __vsprintf_chk (char *, int, size_t, const char *,
__gnuc_va_list) __THROW;
extern int __vsnprintf_chk (char *, size_t, int, size_t, const char *,
__gnuc_va_list) __THROW;
extern int __printf_chk (int, const char *, ...);
extern int __fprintf_chk (FILE *, int, const char *, ...);
extern int __vprintf_chk (int, const char *, __gnuc_va_list);
extern int __vfprintf_chk (FILE *, int, const char *, __gnuc_va_list);
extern char *__fgets_unlocked_chk (char *buf, size_t size, int n, FILE *fp);
extern char *__fgets_chk (char *buf, size_t size, int n, FILE *fp);
extern int __asprintf_chk (char **, int, const char *, ...) __THROW;
extern int __vasprintf_chk (char **, int, const char *, __gnuc_va_list) __THROW;
extern int __dprintf_chk (int, int, const char *, ...);
extern int __vdprintf_chk (int, int, const char *, __gnuc_va_list);
extern int __obstack_printf_chk (struct obstack *, int, const char *, ...)
__THROW;
extern int __obstack_vprintf_chk (struct obstack *, int, const char *,
__gnuc_va_list) __THROW;
extern int __isoc99_fscanf (FILE *__restrict __stream,
const char *__restrict __format, ...) __wur;
extern int __isoc99_scanf (const char *__restrict __format, ...) __wur;
extern int __isoc99_sscanf (const char *__restrict __s,
const char *__restrict __format, ...) __THROW;
extern int __isoc99_vfscanf (FILE *__restrict __s,
const char *__restrict __format,
__gnuc_va_list __arg) __wur;
extern int __isoc99_vscanf (const char *__restrict __format,
__gnuc_va_list __arg) __wur;
extern int __isoc99_vsscanf (const char *__restrict __s,
const char *__restrict __format,
__gnuc_va_list __arg) __THROW;
libc_hidden_proto (__isoc99_sscanf)
libc_hidden_proto (__isoc99_vsscanf)
libc_hidden_proto (__isoc99_vfscanf)
/* Internal uses of sscanf should call the C99-compliant version.
Unfortunately, symbol redirection is not transitive, so the
__REDIRECT in the public header does not link up with the above
libc_hidden_proto. Bridge the gap with a macro. */
# if !__GLIBC_USE (DEPRECATED_SCANF)
# undef sscanf
# define sscanf __isoc99_sscanf
# endif
/* Prototypes for compatibility functions. */
extern FILE *__new_tmpfile (void);
extern FILE *__old_tmpfile (void);
# define __need_size_t
# include <stddef.h>
# include <bits/types/wint_t.h>
/* Generate a unique file name (and possibly open it). */
extern int __path_search (char *__tmpl, size_t __tmpl_len,
const char *__dir, const char *__pfx,
int __try_tempdir) attribute_hidden;
extern int __gen_tempname (char *__tmpl, int __suffixlen, int __flags,
int __kind) attribute_hidden;
/* The __kind argument to __gen_tempname may be one of: */
# define __GT_FILE 0 /* create a file */
# define __GT_DIR 1 /* create a directory */
# define __GT_NOCREATE 2 /* just find a name not currently in use */
enum __libc_message_action
{
do_message = 0, /* Print message. */
do_abort = 1 << 0, /* Abort. */
do_backtrace = 1 << 1 /* Backtrace. */
};
/* Print out MESSAGE (which should end with a newline) on the error output
and abort. */
extern void __libc_fatal (const char *__message)
__attribute__ ((__noreturn__));
extern void __libc_message (enum __libc_message_action action,
const char *__fnt, ...) attribute_hidden;
extern void __fortify_fail (const char *msg) __attribute__ ((__noreturn__));
extern void __fortify_fail_abort (_Bool, const char *msg)
__attribute__ ((__noreturn__)) attribute_hidden;
libc_hidden_proto (__fortify_fail)
libc_hidden_proto (__fortify_fail_abort)
/* Acquire ownership of STREAM. */
extern void __flockfile (FILE *__stream) attribute_hidden;
/* Relinquish the ownership granted for STREAM. */
extern void __funlockfile (FILE *__stream) attribute_hidden;
/* Try to acquire ownership of STREAM but do not block if it is not
possible. */
extern int __ftrylockfile (FILE *__stream);
extern int __getc_unlocked (FILE *__fp) attribute_hidden;
extern wint_t __getwc_unlocked (FILE *__fp);
extern int __fxprintf (FILE *__fp, const char *__fmt, ...)
__attribute__ ((__format__ (__printf__, 2, 3))) attribute_hidden;
extern int __fxprintf_nocancel (FILE *__fp, const char *__fmt, ...)
__attribute__ ((__format__ (__printf__, 2, 3))) attribute_hidden;
int __vfxprintf (FILE *__fp, const char *__fmt, __gnuc_va_list)
attribute_hidden;
/* Read the next line from FP into BUFFER, of LENGTH bytes. LINE will
include the line terminator and a NUL terminator. On success,
return the length of the line, including the line terminator, but
excluding the NUL termintor. On EOF, return zero and write a NUL
terminator. On error, return -1 and set errno. If the total byte
count (line and both terminators) exceeds LENGTH, return -1 and set
errno to ERANGE (but do not mark the stream as failed).
The behavior is undefined if FP is not seekable, or if the stream
is already in an error state. */
ssize_t __libc_readline_unlocked (FILE *fp, char *buffer, size_t length);
libc_hidden_proto (__libc_readline_unlocked);
extern const char *const _sys_errlist_internal[] attribute_hidden;
extern int _sys_nerr_internal attribute_hidden;
libc_hidden_proto (__asprintf)
# if IS_IN (libc)
extern FILE *_IO_new_fopen (const char*, const char*);
# define fopen(fname, mode) _IO_new_fopen (fname, mode)
extern FILE *_IO_new_fdopen (int, const char*);
# define fdopen(fd, mode) _IO_new_fdopen (fd, mode)
extern int _IO_new_fclose (FILE*);
# define fclose(fp) _IO_new_fclose (fp)
extern int _IO_fputs (const char*, FILE*);
libc_hidden_proto (_IO_fputs)
/* The compiler may optimize calls to fprintf into calls to fputs.
Use libc_hidden_proto to ensure that those calls, not redirected by
the fputs macro, also do not go through the PLT. */
libc_hidden_proto (fputs)
# define fputs(str, fp) _IO_fputs (str, fp)
extern int _IO_new_fsetpos (FILE *, const __fpos_t *);
# define fsetpos(fp, posp) _IO_new_fsetpos (fp, posp)
extern int _IO_new_fgetpos (FILE *, __fpos_t *);
# define fgetpos(fp, posp) _IO_new_fgetpos (fp, posp)
# endif
libc_hidden_proto (dprintf)
extern __typeof (dprintf) __dprintf
__attribute__ ((__format__ (__printf__, 2, 3)));
libc_hidden_proto (__dprintf)
libc_hidden_proto (fprintf)
libc_hidden_proto (vfprintf)
libc_hidden_proto (sprintf)
libc_hidden_proto (fwrite)
libc_hidden_proto (perror)
libc_hidden_proto (remove)
libc_hidden_proto (rewind)
libc_hidden_proto (fileno)
extern __typeof (fileno) __fileno;
libc_hidden_proto (__fileno)
libc_hidden_proto (fwrite)
libc_hidden_proto (fseek)
extern __typeof (ftello) __ftello;
libc_hidden_proto (__ftello)
extern __typeof (fseeko64) __fseeko64;
libc_hidden_proto (__fseeko64)
extern __typeof (ftello64) __ftello64;
libc_hidden_proto (__ftello64)
libc_hidden_proto (fflush)
libc_hidden_proto (fflush_unlocked)
extern __typeof (fflush_unlocked) __fflush_unlocked;
libc_hidden_proto (__fflush_unlocked)
extern __typeof (fread_unlocked) __fread_unlocked;
libc_hidden_proto (__fread_unlocked)
libc_hidden_proto (fwrite_unlocked)
libc_hidden_proto (fgets_unlocked)
extern __typeof (fgets_unlocked) __fgets_unlocked;
libc_hidden_proto (__fgets_unlocked)
libc_hidden_proto (fputs_unlocked)
extern __typeof (fputs_unlocked) __fputs_unlocked;
libc_hidden_proto (__fputs_unlocked)
libc_hidden_proto (feof_unlocked)
extern __typeof (feof_unlocked) __feof_unlocked attribute_hidden;
libc_hidden_proto (ferror_unlocked)
extern __typeof (ferror_unlocked) __ferror_unlocked attribute_hidden;
libc_hidden_proto (getc_unlocked)
libc_hidden_proto (fputc_unlocked)
libc_hidden_proto (putc_unlocked)
extern __typeof (putc_unlocked) __putc_unlocked attribute_hidden;
libc_hidden_proto (fmemopen)
/* The prototype needs repeating instead of using __typeof to use
__THROW in C++ tests. */
extern FILE *__open_memstream (char **, size_t *) __THROW __wur;
libc_hidden_proto (__open_memstream)
libc_hidden_proto (__libc_fatal)
rtld_hidden_proto (__libc_fatal)
libc_hidden_proto (__vsprintf_chk)
extern FILE * __fmemopen (void *buf, size_t len, const char *mode);
libc_hidden_proto (__fmemopen)
extern int __gen_tempfd (int flags);
libc_hidden_proto (__gen_tempfd)
# ifdef __USE_EXTERN_INLINES
__extern_inline int
__NTH (__feof_unlocked (FILE *__stream))
{
return __feof_unlocked_body (__stream);
}
__extern_inline int
__NTH (__ferror_unlocked (FILE *__stream))
{
return __ferror_unlocked_body (__stream);
}
__extern_inline int
__getc_unlocked (FILE *__fp)
{
return __getc_unlocked_body (__fp);
}
__extern_inline int
__putc_unlocked (int __c, FILE *__stream)
{
return __putc_unlocked_body (__c, __stream);
}
# endif
extern __typeof (renameat) __renameat;
libc_hidden_proto (__renameat)
# endif /* not _ISOMAC */
#endif /* stdio.h */
Reference in a new issue View git blame Copy permalink