<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/121878>121878</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            money_get::do_get analyze large value, code inner will malloc enough buffer, but sscanf not get number from malloc buf
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          ZLFooler
      </td>
    </tr>
</table>

<pre>
    ```
template <class _CharT, class _InputIterator>
_InputIterator money_get<_CharT, _InputIterator>::do_get(
 iter_type __b, iter_type __e, bool __intl, ios_base& __iob, ios_base::iostate& __err, long double& __v) const {
  const int __bz = 100;
  char_type __wbuf[__bz];
  unique_ptr<char_type, void (*)(void*)> __wb(__wbuf, __do_nothing);
  char_type* __wn;
  char_type* __we = __wbuf + __bz;
  locale __loc                 = __iob.getloc();
  const ctype<char_type>& __ct = std::use_facet<ctype<char_type> >(__loc);
  bool __neg                   = false;
  if (__do_get(__b, __e, __intl, __loc, __iob.flags(), __err, __neg, __ct, __wb, __wn, __we)) {
    const char __src[] = "0123456789";
    char_type __atoms[sizeof(__src) - 1];
 __ct.widen(__src, __src + (sizeof(__src) - 1), __atoms);
    char __nbuf[__bz];
    char* __nc = __nbuf;
    unique_ptr<char, void (*)(void*)> __h(nullptr, free);
    if (__wn - __wb.get() > __bz - 2) {
 __h.reset((char*)malloc(static_cast<size_t>(__wn - __wb.get() + 2)));
 if (__h.get() == nullptr)
        __throw_bad_alloc();
      __nc = __h.get();
    }
    if (__neg)
      *__nc++ = '-';
    for (const char_type* __w = __wb.get(); __w < __wn; ++__w, ++__nc)
      *__nc = __src[std::find(__atoms, std::end(__atoms), *__w) - __atoms];
    *__nc = char();
    if (sscanf(__nbuf, "%Lf", &__v) != 1)
 __throw_runtime_error("money_get error");
  }
  if (__b == __e)
 __err |= ios_base::eofbit;
  return __b;
}
```

When `if (__wn - __wb.get() > __bz - 2)` is true, `__nc` will change point from `_nbuf` to `__h`. The result will fill in `__nc(__h)`, but `sscanf(__nbuf, "%Lf", &__v) ` only get value from `_nbuf`. In this case, code can not get right value from `__h`.
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJyUVk1r6zoT_jXKZmhQ5MaxF1kk6SkcOMsDL7wbIdtjWxdFypXkhvbXX_ThOGl74Z5g6mo0H8_MPBpZOCcHjbgn2yPZvqzE5Edj9___9WqMQrtqTPe-JyXNDz14PF-U8AikOLVKOAf8NAr7m7AT5PVPfZn8T49WeGNJ8YPQw6MMzkbjOx_Qk-K0mH81LA6kOHQmarKK0ANIj5b79wsC500wuhdgEDTGKOBcaq_ivnG8EQ4JK4PUNA_CGEAa54XPGmht0FBGD9CZqVFZ_kZYDa3RzgPZHQOUvJLaBywfQIoX2FBKirw7ihuwazP1ZHsMamT7MmtMWv49Ib94G2o5q4fob0Z2EDJmB8JqwqogyIviR3RIWJX9hsrxznBt_Cj1EHU-QSDsEIz0v21gBJ_8AWHHmNCsrEwrVMhCmRY-_5KdNM16QK9MG0EvAGKF2hjpPsXiRypq66MD57vUickh70UbefGdFUTLKkK5C5NbrnH4gi8h7IUKzU7aMqRYxZIlXmUmZf4s1MlhTjnBXonB5fySeqJKDJz-aX16X7PDq85vjEb1jTq30ozCAufOtun8RbSEMbphxfO23FU1YWwG_sgp4c3Zke3RyQ80fUwjuGE1PMFmYVkAtb7KDvWickohY6cJq773MGeZ4izFhhm0_pbUaTvxSreZH1H1pvCF9_-J8iNhlZ6UCmbsBL1FfEA1t_Wq4Sm2YJ2nRih79NB8wBOwuzZwPq4tuqxWZeCE1WehEpfDYJAtb4ULlAyF4n7m4LeB2DFGyE8CNyMbHxC9hNLcEqpzFuHHuR-tufJGdHwG8pAq3Nf2zuuiQXYvn8oSObpEIewQfBB2jCSIrNs9EbZbfPTGBtOFqPcT4zYwHqLnndM8bCD55_waWjYvdPsNkuwwnYTbQOil7iL8zMLTMivwcadOEQ4xVh07k0_IHTXvY6VuV99wyLlW6HQedB6w4RSy7a8-vsOyzDcCYZs493NGc-vspL08YxgRJkVhtzsPspDdhZ77NXermQkSh1J2jdYC2Z2C-PECQ9M30s--LPrJ6ng_RknyfX-HE3r434gaSEn_4NSQkoJ04O0U5yQpaWxlSeEqlQr11APCxYQLsbfmHDViAUsK3iSDkZR0Db9HBItuUj7Z9uGP1Def8bSkkPFKn3zY-qO-lBSMVu8QCv4m1IRfMK3hpwY_Sgdt_D44QWs6hFZo0MZHQyuH8Yt5ymHV7YuuLmqxwv1mV5RsU1UFW437502HFe0YFT0VjFLB-kagaASrNptWiJXcM8q2dEN3tKC0YOu-25Z1J3bP5a6m23ZHnimehVRrpd7Oa2OHlXRuwv2GbapdtVKiQeXiBxtjGq8Qd0MFti8ruw9GT800OPJMlXTeLW689Ar3dx9fy-cVCC3U-weCEnbAlPKtJFJrtKlTaTICajMNIzRT36OdW5T6cyuens4N2lS3bNZM_Wqyaj96f3EhPHsl7HWQfpyadWvOhL0GsPn1dLHmLwx36mtM0RH2mmvwtmf_BAAA__-hUCcu">