awk: fix read beyond end of buffer

Commit 7d06d6e18 (awk: fix printf %%) can cause awk printf to read beyond the end of a strduped buffer: 2349 while (*f && *f != '%') 2350 f++; 2351 c = *++f; If the loop terminates because a NUL character is detected the character after the NUL is read. This can result in failures depending on the value of that character. function old new delta awk_printf 672 665 -7 Signed-off-by: Ron Yorston <rmy@pobox.com> Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Ron Yorston <rmy@pobox.com> 2021-09-09 08:15:31 +0100
committer: Denys Vlasenko <vda.linux@googlemail.com> 2021-09-09 18:12:21 +0200
commit: 305a30d80b63e06d312c9d98ae73934ae143e564 (patch)
tree: 7882b207944cfb077cde8a6c28d52d1ef56a30e4
parent: eb607777697f4c5eb2dfd86e5837a8c379f65979 (diff)
download: busybox-w32-305a30d80b63e06d312c9d98ae73934ae143e564.tar.gz
busybox-w32-305a30d80b63e06d312c9d98ae73934ae143e564.tar.bz2
busybox-w32-305a30d80b63e06d312c9d98ae73934ae143e564.zip
1 files changed, 13 insertions, 11 deletions
diff --git a/editors/awk.c b/editors/awk.c
index f7b8ef0d3..3594717b1 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -2348,17 +2348,19 @@ static char *awk_printf(node *n, size_t *len)
                s = f;
                while (*f && *f != '%')
                        f++;
-                c = *++f;
+                if (*f) {
-                if (c == '%') { /* double % */
+                        c = *++f;
-                        slen = f - s;
+                        if (c == '%') { /* double % */
-                        s = xstrndup(s, slen);
+                                slen = f - s;
-                        f++;
+                                s = xstrndup(s, slen);
-                        goto tail;
+                                f++;
-                }
+                                goto tail;
-                while (*f && !isalpha(*f)) {
+                        }
-                        if (*f == '*')
+                        while (*f && !isalpha(*f)) {
-                                syntax_error("%*x formats are not supported");
+                                if (*f == '*')
-                        f++;
+                                        syntax_error("%*x formats are not supported");
+                                f++;
+                        }
                }
                c = *f;
                if (!c) {
author	Ron Yorston <rmy@pobox.com>	2021-09-09 08:15:31 +0100
committer	Denys Vlasenko <vda.linux@googlemail.com>	2021-09-09 18:12:21 +0200
commit	305a30d80b63e06d312c9d98ae73934ae143e564 (patch)
tree	7882b207944cfb077cde8a6c28d52d1ef56a30e4
parent	eb607777697f4c5eb2dfd86e5837a8c379f65979 (diff)
download	busybox-w32-305a30d80b63e06d312c9d98ae73934ae143e564.tar.gz busybox-w32-305a30d80b63e06d312c9d98ae73934ae143e564.tar.bz2 busybox-w32-305a30d80b63e06d312c9d98ae73934ae143e564.zip

diff --git a/editors/awk.c b/editors/awk.c index f7b8ef0d3..3594717b1 100644 --- a/editors/awk.c +++ b/editors/awk.c
@@ -2348,17 +2348,19 @@ static char awk_printf(node n, size_t *len)
2348	s = f;	2348	s = f;
2349	while (f && f != '%')	2349	while (f && f != '%')
2350	f++;	2350	f++;
2351	c = *++f;	2351	if (*f) {
2352	if (c == '%') { /* double % */	2352	c = *++f;
2353	slen = f - s;	2353	if (c == '%') { /* double % */
2354	s = xstrndup(s, slen);	2354	slen = f - s;
2355	f++;	2355	s = xstrndup(s, slen);
2356	goto tail;	2356	f++;
2357	}	2357	goto tail;
2358	while (f && !isalpha(f)) {	2358	}
2359	if (f == '')	2359	while (f && !isalpha(f)) {
2360	syntax_error("%*x formats are not supported");	2360	if (f == '')
2361	f++;	2361	syntax_error("%*x formats are not supported");
		2362	f++;
		2363	}
2362	}	2364	}
2363	c = *f;	2365	c = *f;
2364	if (!c) {	2366	if (!c) {