From: Michał Janiszewski janisozaur@gmail.com
Limit damage done by a case
char buffer[1]; sscanf_s("xx", "%2c", buffer, 1);
where it would try writing 'x' to buffer[1].
It is still not entirely correct, as according to https://en.cppreference.com/w/c/io/fwscanf, "The size of the destination array must be at least one greater than the specified field width" but the final byte is reserved for NULL terminator.
Signed-off-by: Michał Janiszewski janisozaur@gmail.com --- dlls/msvcrt/scanf.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h index 734fe8bb98..5393e36f23 100644 --- a/dlls/msvcrt/scanf.h +++ b/dlls/msvcrt/scanf.h @@ -549,7 +549,7 @@ _FUNCTION_ { { if (!suppress) { *str++ = _CHAR2SUPPORTED_(nch); - if(size) size--; + if(size > 1) size--; else { _UNLOCK_FILE_(file); *pstr = 0; @@ -575,7 +575,7 @@ _FUNCTION_ { { if (!suppress) { *str++ = _WIDE2SUPPORTED_(nch); - if(size) size--; + if(size > 1) size--; else { _UNLOCK_FILE_(file); *pstr = 0;