From 1ea9e117862e545434f3f206ae7211cfd9a616a0 Mon Sep 17 00:00:00 2001
From: Andrzej Stalke <andrzej.stalke@phoenix-rtos.com>
Date: Mon, 22 Apr 2024 12:20:25 +0200
Subject: [PATCH] libphoenix/scanf: Fix invalid processing of %n

JIRA: RTOS-825
---
 stdio/scanf.c | 53 +++++++++++++++++++++++++++------------------------
 1 file changed, 28 insertions(+), 25 deletions(-)

diff --git a/stdio/scanf.c b/stdio/scanf.c
index 98fd639b..0e8b4d4a 100644
--- a/stdio/scanf.c
+++ b/stdio/scanf.c
@@ -48,6 +48,7 @@
 #define CT_STRING 2 /* %s conversion */
 #define CT_INT    3 /* %[dioupxX] conversion */
 #define CT_FLOAT  4 /* %[aefgAEFG] conversion */
+#define CT_INTPTR 5 /* %n conversion */
 
 
 static const unsigned char *__sccl(char *tab, const unsigned char *fmt)
@@ -113,7 +114,7 @@ static int scanf_parse(char *ccltab, const char *inp, int *inr, char const *fmt0
 	char *p, *p0;
 	char buf[32];
 
-	static short basefix[17] = { 10, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
+	static const short basefix[17] = { 10, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
 
 	*inr = strlen(inp);
 
@@ -296,29 +297,8 @@ static int scanf_parse(char *ccltab, const char *inp, int *inr, char const *fmt0
 					break;
 
 				case 'n':
-					nconversions++;
-					if ((flags & SUPPRESS) != 0) {
-						continue;
-					}
-					if ((flags & SHORTSHORT) != 0) {
-						*va_arg(ap, char *) = nread;
-					}
-					else if ((flags & SHORT) != 0) {
-						*va_arg(ap, short *) = nread;
-					}
-					else if ((flags & LONG) != 0) {
-						*va_arg(ap, long *) = nread;
-					}
-					else if ((flags & LONGLONG) != 0) {
-						*va_arg(ap, long long *) = nread;
-					}
-					else if ((flags & PTRDIFF) != 0) {
-						*va_arg(ap, ptrdiff_t *) = nread;
-					}
-					else {
-						*va_arg(ap, int *) = nread;
-					}
-					continue;
+					c = CT_INTPTR;
+					break;
 			}
 
 			break;
@@ -673,7 +653,30 @@ static int scanf_parse(char *ccltab, const char *inp, int *inr, char const *fmt0
 				nread += p - buf;
 				nconversions++;
 				break;
-
+			case CT_INTPTR:
+				nconversions++;
+				if ((flags & SUPPRESS) != 0) {
+					continue;
+				}
+				if ((flags & SHORTSHORT) != 0) {
+					*va_arg(ap, char *) = nread;
+				}
+				else if ((flags & SHORT) != 0) {
+					*va_arg(ap, short *) = nread;
+				}
+				else if ((flags & LONG) != 0) {
+					*va_arg(ap, long *) = nread;
+				}
+				else if ((flags & LONGLONG) != 0) {
+					*va_arg(ap, long long *) = nread;
+				}
+				else if ((flags & PTRDIFF) != 0) {
+					*va_arg(ap, ptrdiff_t *) = nread;
+				}
+				else {
+					*va_arg(ap, int *) = nread;
+				}
+				break;
 			default:
 				break;
 		}