Use read_int in vfscanf

The function read_int, from printf-parse.h, parses an integer from a string
while avoiding overflows.  It is used by other functions, such as vfprintf,
to avoid undefined behavior.

The function vfscanf (_IO_vfwscanf) parses an integer from the format
string, and can use read_int.

1 files changed, 5 insertions, 8 deletions

diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index fe3677ba10..7caa96fbe2 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -133,6 +133,8 @@
 # define WINT_T		int
 #endif
 
+#include "printf-parse.h" /* Use read_int.  */
+
 #define encode_error() do {						      \
 			  errval = 4;					      \
 			  __set_errno (EILSEQ);				      \
@@ -488,9 +490,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
       /* Check for a positional parameter specification.  */
       if (ISDIGIT ((UCHAR_T) *f))
 	{
-	  argpos = (UCHAR_T) *f++ - L_('0');
-	  while (ISDIGIT ((UCHAR_T) *f))
-	    argpos = argpos * 10 + ((UCHAR_T) *f++ - L_('0'));
+	  argpos = read_int ((const UCHAR_T **) &f);
 	  if (*f == L_('$'))
 	    ++f;
 	  else
@@ -525,11 +525,8 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 
       /* Find the maximum field width.  */
       width = 0;
-      while (ISDIGIT ((UCHAR_T) *f))
-	{
-	  width *= 10;
-	  width += (UCHAR_T) *f++ - L_('0');
-	}
+      if (ISDIGIT ((UCHAR_T) *f))
+	width = read_int ((const UCHAR_T **) &f);
     got_width:
       if (width == 0)
 	width = -1;