scanf could trash a word of the caller's stack if it did not perform all possible assignments.

Code in ~scanf would call ~RemoveWord to remove the extra parameters, but ~RemoveWord is designed to be called from one of the ~Scan_... subroutines, which is (in effect) called by JSR and thus has an extra word on the stack for its return address. This stack misalignment caused ~RemoveWord to overwrite a word of the caller's stack when called from the code to remove extra parameters. This could cause a crash in the following program: #include <stdio.h> void f(void) { int a,b; sscanf("Z", "%i%i", &a, &b); } int main(void) { f(); }
2021-02-09 13:09:04 -06:00 · 2021-02-09 13:09:04 -06:00 · 66e1835175
parent 61bfc70b9b
commit 66e1835175
1 changed files with 2 additions and 0 deletions
--- a/stdio.asm
+++ b/stdio.asm
@ -5550,7 +5550,9 @@ rm2a	tax
 	bne	rm2
 rm3	tyx		  if '*' not found
 	beq	rm4
+	pha		    lay out stack as ~RemoveWord needs
 	jsr	~RemoveWord	    remove an addr from the stack
+	pla
 rm4	inc4	format	next format character
 	bra	rm1
 ;