Use read_int in vfscanf

The function read_int, from printf-parse.h, parses an integer from a string
while avoiding overflows.  It is used by other functions, such as vfprintf,
to avoid undefined behavior.

The function vfscanf (_IO_vfwscanf) parses an integer from the format
string, and can use read_int.

ChangeLog

@@ -1,3 +1,8 @@
+2016-10-26  Gabriel F. T. Gomes  <gftg@linux.vnet.ibm.com>
+
+	* stdio-common/vfscanf.c (_IO_vfwscanf): Use read_int to parse
+	integer from the format string.
+
 2016-10-26  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #19473]

stdio-common/vfscanf.c

@@ -133,6 +133,8 @@
 # define WINT_T		int
 #endif
 
+#include "printf-parse.h" /* Use read_int.  */
+
 #define encode_error() do {						      \
 			  errval = 4;					      \
 			  __set_errno (EILSEQ);				      \
@@ -488,9 +490,7 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
       /* Check for a positional parameter specification.  */
       if (ISDIGIT ((UCHAR_T) *f))
 	{
-	  argpos = (UCHAR_T) *f++ - L_('0');
+	  argpos = read_int ((const UCHAR_T **) &f);
-	  while (ISDIGIT ((UCHAR_T) *f))
-	    argpos = argpos * 10 + ((UCHAR_T) *f++ - L_('0'));
 	  if (*f == L_('$'))
 	    ++f;
 	  else
@@ -525,11 +525,8 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 
       /* Find the maximum field width.  */
       width = 0;
-      while (ISDIGIT ((UCHAR_T) *f))
+      if (ISDIGIT ((UCHAR_T) *f))
-	{
+	width = read_int ((const UCHAR_T **) &f);
-	  width *= 10;
-	  width += (UCHAR_T) *f++ - L_('0');
-	}
     got_width:
       if (width == 0)
 	width = -1;