From 6ba101b5f1f9878ad0532ad8e7a7d95c028809c8 Mon Sep 17 00:00:00 2001
From: Andrzej Stalke <andrzej.stalke@phoenix-rtos.com>
Date: Mon, 22 Apr 2024 12:20:25 +0200
Subject: [PATCH] libphoenix/scanf: Fix invalid processing of %n

JIRA: RTOS-825
---
 stdio/scanf.c | 77 +++++++++++++++++++++++++++------------------------
 1 file changed, 41 insertions(+), 36 deletions(-)

diff --git a/stdio/scanf.c b/stdio/scanf.c
index 98fd639b..99640940 100644
--- a/stdio/scanf.c
+++ b/stdio/scanf.c
@@ -48,6 +48,7 @@
 #define CT_STRING 2 /* %s conversion */
 #define CT_INT    3 /* %[dioupxX] conversion */
 #define CT_FLOAT  4 /* %[aefgAEFG] conversion */
+#define CT_INTPTR 5 /* %n conversion */
 
 
 static const unsigned char *__sccl(char *tab, const unsigned char *fmt)
@@ -113,7 +114,7 @@ static int scanf_parse(char *ccltab, const char *inp, int *inr, char const *fmt0
 	char *p, *p0;
 	char buf[32];
 
-	static short basefix[17] = { 10, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
+	static const short basefix[17] = { 10, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
 
 	*inr = strlen(inp);
 
@@ -296,29 +297,8 @@ static int scanf_parse(char *ccltab, const char *inp, int *inr, char const *fmt0
 					break;
 
 				case 'n':
-					nconversions++;
-					if ((flags & SUPPRESS) != 0) {
-						continue;
-					}
-					if ((flags & SHORTSHORT) != 0) {
-						*va_arg(ap, char *) = nread;
-					}
-					else if ((flags & SHORT) != 0) {
-						*va_arg(ap, short *) = nread;
-					}
-					else if ((flags & LONG) != 0) {
-						*va_arg(ap, long *) = nread;
-					}
-					else if ((flags & LONGLONG) != 0) {
-						*va_arg(ap, long long *) = nread;
-					}
-					else if ((flags & PTRDIFF) != 0) {
-						*va_arg(ap, ptrdiff_t *) = nread;
-					}
-					else {
-						*va_arg(ap, int *) = nread;
-					}
-					continue;
+					c = CT_INTPTR;
+					break;
 			}
 
 			break;
@@ -327,18 +307,20 @@ static int scanf_parse(char *ccltab, const char *inp, int *inr, char const *fmt0
 			continue;
 		}
 
-		if (*inr <= 0) {
-			return (nconversions != 0 ? nassigned : -1);
-		}
+		if (c != CT_INTPTR) {
+			if (*inr <= 0) {
+				return (nconversions != 0 ? nassigned : -1);
+			}
 
-		if ((flags & NOSKIP) == 0) {
-			while (isspace(*inp) != 0) {
-				nread++;
-				if (--(*inr) > 0) {
-					inp++;
-				}
-				else {
-					return (nconversions != 0 ? nassigned : -1);
+			if ((flags & NOSKIP) == 0) {
+				while (isspace(*inp) != 0) {
+					nread++;
+					if (--(*inr) > 0) {
+						inp++;
+					}
+					else {
+						return (nconversions != 0 ? nassigned : -1);
+					}
 				}
 			}
 		}
@@ -673,7 +655,30 @@ static int scanf_parse(char *ccltab, const char *inp, int *inr, char const *fmt0
 				nread += p - buf;
 				nconversions++;
 				break;
-
+			case CT_INTPTR:
+				nconversions++;
+				if ((flags & SUPPRESS) != 0) {
+					continue;
+				}
+				if ((flags & SHORTSHORT) != 0) {
+					*va_arg(ap, char *) = nread;
+				}
+				else if ((flags & SHORT) != 0) {
+					*va_arg(ap, short *) = nread;
+				}
+				else if ((flags & LONG) != 0) {
+					*va_arg(ap, long *) = nread;
+				}
+				else if ((flags & LONGLONG) != 0) {
+					*va_arg(ap, long long *) = nread;
+				}
+				else if ((flags & PTRDIFF) != 0) {
+					*va_arg(ap, ptrdiff_t *) = nread;
+				}
+				else {
+					*va_arg(ap, int *) = nread;
+				}
+				break;
 			default:
 				break;
 		}