From 305a30d80b63e06d312c9d98ae73934ae143e564 Mon Sep 17 00:00:00 2001 From: Ron Yorston Date: Thu, 9 Sep 2021 08:15:31 +0100 Subject: [PATCH] awk: fix read beyond end of buffer Commit 7d06d6e18 (awk: fix printf %%) can cause awk printf to read beyond the end of a strduped buffer: 2349 while (*f && *f != '%') 2350 f++; 2351 c = *++f; If the loop terminates because a NUL character is detected the character after the NUL is read. This can result in failures depending on the value of that character. function old new delta awk_printf 672 665 -7 Signed-off-by: Ron Yorston Signed-off-by: Denys Vlasenko --- editors/awk.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/editors/awk.c b/editors/awk.c index f7b8ef0d3..3594717b1 100644 --- a/editors/awk.c +++ b/editors/awk.c @@ -2348,17 +2348,19 @@ static char *awk_printf(node *n, size_t *len) s = f; while (*f && *f != '%') f++; - c = *++f; - if (c == '%') { /* double % */ - slen = f - s; - s = xstrndup(s, slen); - f++; - goto tail; - } - while (*f && !isalpha(*f)) { - if (*f == '*') - syntax_error("%*x formats are not supported"); - f++; + if (*f) { + c = *++f; + if (c == '%') { /* double % */ + slen = f - s; + s = xstrndup(s, slen); + f++; + goto tail; + } + while (*f && !isalpha(*f)) { + if (*f == '*') + syntax_error("%*x formats are not supported"); + f++; + } } c = *f; if (!c) {