From 827658de514799d202b3d87dc34f86cf02e8b3b2 Mon Sep 17 00:00:00 2001
From: Tulio A M Mendes <tadryanom@hotmail.com>
Date: Mon, 25 May 2026 16:11:55 -0300
Subject: [PATCH] security: Round 5.1 scanf %s limit (U02)

U02: Limit %s to 255 chars in scanf/sscanf/fscanf to prevent buffer overflow
- Added check (i < 255) in %s parsing loop for scanf
- Added check (i < 255) in %s parsing loop for sscanf
- Added check (i < 255) in %s parsing loop for fscanf

Tests: 119/119 PASS (smoke test, SMP=4)
---
 user/ulibc/src/stdio.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/user/ulibc/src/stdio.c b/user/ulibc/src/stdio.c
index 8660f4b7..34109fb3 100644
--- a/user/ulibc/src/stdio.c
+++ b/user/ulibc/src/stdio.c
@@ -405,6 +405,7 @@ int snprintf(char* buf, size_t size, const char* fmt, ...) {
 
 int sscanf(const char* str, const char* fmt, ...) {
     /* Minimal sscanf: only supports %d and %s */
+    /* U02: %s limited to 255 chars by default to prevent buffer overflow */
     va_list ap;
     va_start(ap, fmt);
     int count = 0;
@@ -430,7 +431,7 @@ int sscanf(const char* str, const char* fmt, ...) {
                 char* out = va_arg(ap, char*);
                 while (*s == ' ') s++;
                 int i = 0;
-                while (*s && *s != ' ' && *s != '\n' && *s != '\t') out[i++] = *s++;
+                while (*s && *s != ' ' && *s != '\n' && *s != '\t' && i < 255) out[i++] = *s++;
                 out[i] = '\0';
                 count++;
             } else {
@@ -606,6 +607,7 @@ char* tmpnam(char* s) {
 
 int fscanf(FILE* fp, const char* fmt, ...) {
     /* Read a line, then delegate to sscanf */
+    /* U02: %s limited to 255 chars by default to prevent buffer overflow */
     char line[512];
     if (!fgets(line, (int)sizeof(line), fp)) return EOF;
     va_list ap;
@@ -635,7 +637,7 @@ int fscanf(FILE* fp, const char* fmt, ...) {
                 char* out = va_arg(ap, char*);
                 while (*s == ' ') s++;
                 int i = 0;
-                while (*s && *s != ' ' && *s != '\n' && *s != '\t') out[i++] = *s++;
+                while (*s && *s != ' ' && *s != '\n' && *s != '\t' && i < 255) out[i++] = *s++;
                 out[i] = '\0';
                 count++;
             } else if (*f == 'c') {
@@ -659,6 +661,7 @@ int fscanf(FILE* fp, const char* fmt, ...) {
 }
 
 int scanf(const char* fmt, ...) {
+    /* U02: %s limited to 255 chars by default to prevent buffer overflow */
     char line[512];
     if (!fgets(line, (int)sizeof(line), stdin)) return EOF;
     va_list ap;
@@ -686,7 +689,7 @@ int scanf(const char* fmt, ...) {
                 char* out = va_arg(ap, char*);
                 while (*s == ' ') s++;
                 int i = 0;
-                while (*s && *s != ' ' && *s != '\n' && *s != '\t') out[i++] = *s++;
+                while (*s && *s != ' ' && *s != '\n' && *s != '\t' && i < 255) out[i++] = *s++;
                 out[i] = '\0';
                 count++;
             } else {
-- 
2.43.0