diff options
| author | Ron Yorston | 2021-09-09 08:15:31 +0100 |
|---|---|---|
| committer | Denys Vlasenko | 2021-09-30 00:15:44 +0200 |
| commit | 150986c922c7dac59d6ca7253c3a7bd2ff6ee5b8 (patch) | |
| tree | 71284efddbdc483e300684cada49de6a27826587 | |
| parent | 3c9f559a41cdf98f144f95e76944c182a243b2b8 (diff) | |
| download | busybox-150986c922c7dac59d6ca7253c3a7bd2ff6ee5b8.zip busybox-150986c922c7dac59d6ca7253c3a7bd2ff6ee5b8.tar.gz | |
awk: fix read beyond end of buffer
Commit 7d06d6e18 (awk: fix printf %%) can cause awk printf to read
beyond the end of a strduped buffer:
2349 while (*f && *f != '%')
2350 f++;
2351 c = *++f;
If the loop terminates because a NUL character is detected the
character after the NUL is read. This can result in failures
depending on the value of that character.
function old new delta
awk_printf 672 665 -7
Signed-off-by: Ron Yorston <rmy@pobox.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | editors/awk.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/editors/awk.c b/editors/awk.c index f7b8ef0..3594717 100644 --- a/editors/awk.c +++ b/editors/awk.c @@ -2348,17 +2348,19 @@ static char *awk_printf(node *n, size_t *len) s = f; while (*f && *f != '%') f++; - c = *++f; - if (c == '%') { /* double % */ - slen = f - s; - s = xstrndup(s, slen); - f++; - goto tail; - } - while (*f && !isalpha(*f)) { - if (*f == '*') - syntax_error("%*x formats are not supported"); - f++; + if (*f) { + c = *++f; + if (c == '%') { /* double % */ + slen = f - s; + s = xstrndup(s, slen); + f++; + goto tail; + } + while (*f && !isalpha(*f)) { + if (*f == '*') + syntax_error("%*x formats are not supported"); + f++; + } } c = *f; if (!c) { |