summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRon Yorston2021-09-09 08:15:31 +0100
committerDenys Vlasenko2021-09-09 18:12:21 +0200
commit305a30d80b63e06d312c9d98ae73934ae143e564 (patch)
tree7882b207944cfb077cde8a6c28d52d1ef56a30e4
parenteb607777697f4c5eb2dfd86e5837a8c379f65979 (diff)
downloadbusybox-305a30d80b63e06d312c9d98ae73934ae143e564.zip
busybox-305a30d80b63e06d312c9d98ae73934ae143e564.tar.gz
awk: fix read beyond end of buffer
Commit 7d06d6e18 (awk: fix printf %%) can cause awk printf to read beyond the end of a strduped buffer: 2349 while (*f && *f != '%') 2350 f++; 2351 c = *++f; If the loop terminates because a NUL character is detected the character after the NUL is read. This can result in failures depending on the value of that character. function old new delta awk_printf 672 665 -7 Signed-off-by: Ron Yorston <rmy@pobox.com> Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--editors/awk.c24
1 files changed, 13 insertions, 11 deletions
diff --git a/editors/awk.c b/editors/awk.c
index f7b8ef0..3594717 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -2348,17 +2348,19 @@ static char *awk_printf(node *n, size_t *len)
s = f;
while (*f && *f != '%')
f++;
- c = *++f;
- if (c == '%') { /* double % */
- slen = f - s;
- s = xstrndup(s, slen);
- f++;
- goto tail;
- }
- while (*f && !isalpha(*f)) {
- if (*f == '*')
- syntax_error("%*x formats are not supported");
- f++;
+ if (*f) {
+ c = *++f;
+ if (c == '%') { /* double % */
+ slen = f - s;
+ s = xstrndup(s, slen);
+ f++;
+ goto tail;
+ }
+ while (*f && !isalpha(*f)) {
+ if (*f == '*')
+ syntax_error("%*x formats are not supported");
+ f++;
+ }
}
c = *f;
if (!c) {