diff options
author | Ron Yorston | 2021-09-09 08:15:31 +0100 |
---|---|---|
committer | Denys Vlasenko | 2021-09-09 18:12:21 +0200 |
commit | 305a30d80b63e06d312c9d98ae73934ae143e564 (patch) | |
tree | 7882b207944cfb077cde8a6c28d52d1ef56a30e4 | |
parent | eb607777697f4c5eb2dfd86e5837a8c379f65979 (diff) | |
download | busybox-305a30d80b63e06d312c9d98ae73934ae143e564.zip busybox-305a30d80b63e06d312c9d98ae73934ae143e564.tar.gz |
awk: fix read beyond end of buffer
Commit 7d06d6e18 (awk: fix printf %%) can cause awk printf to read
beyond the end of a strduped buffer:
2349 while (*f && *f != '%')
2350 f++;
2351 c = *++f;
If the loop terminates because a NUL character is detected the
character after the NUL is read. This can result in failures
depending on the value of that character.
function old new delta
awk_printf 672 665 -7
Signed-off-by: Ron Yorston <rmy@pobox.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | editors/awk.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/editors/awk.c b/editors/awk.c index f7b8ef0..3594717 100644 --- a/editors/awk.c +++ b/editors/awk.c @@ -2348,17 +2348,19 @@ static char *awk_printf(node *n, size_t *len) s = f; while (*f && *f != '%') f++; - c = *++f; - if (c == '%') { /* double % */ - slen = f - s; - s = xstrndup(s, slen); - f++; - goto tail; - } - while (*f && !isalpha(*f)) { - if (*f == '*') - syntax_error("%*x formats are not supported"); - f++; + if (*f) { + c = *++f; + if (c == '%') { /* double % */ + slen = f - s; + s = xstrndup(s, slen); + f++; + goto tail; + } + while (*f && !isalpha(*f)) { + if (*f == '*') + syntax_error("%*x formats are not supported"); + f++; + } } c = *f; if (!c) { |