awk: Guard pointer chasing when parsing ternary expressions.

Avoids an uninit pointer deref for some malformed ternary exprs.

Add a test that would crash in busybox before this fix.

Signed-off-by: Brian Foley <bpfoley@google.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

2 files changed, 5 insertions, 1 deletions

diff --git a/editors/awk.c b/editors/awk.c
index b6d8cf203..f2b8b13eb 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -1265,7 +1265,7 @@ static node *parse_expr(uint32_t iexp)
         debug_printf_parse("%s(%x)\n", __func__, iexp);
 
         sn.info = PRIMASK;
-        sn.r.n = glptr = NULL;
+        sn.r.n = sn.a.n = glptr = NULL;
         xtc = TC_OPERAND | TC_UOPPRE | TC_REGEXP | iexp;
 
         while (!((tc = next_token(xtc)) & iexp)) {
@@ -1287,6 +1287,7 @@ static node *parse_expr(uint32_t iexp)
                             || ((t_info == vn->info) && ((t_info & OPCLSMASK) == OC_COLON))
                         ) {
                                 vn = vn->a.n;
+                                if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN);
                         }
                         if ((t_info & OPCLSMASK) == OC_TERNARY)
                                 t_info += P(6);
diff --git a/testsuite/awk.tests b/testsuite/awk.tests
index 3933fefc9..9f353fc10 100755
--- a/testsuite/awk.tests
+++ b/testsuite/awk.tests
@@ -338,6 +338,9 @@ testing "awk continue" \
 testing "awk handles invalid for loop" \
     "awk '{ for() }' 2>&1" "awk: cmd. line:1: Unexpected token\n" "" ""
 
+testing "awk handles colon not preceded by ternary" \
+    "awk 'foo:bar:' 2>&1" "awk: cmd. line:1: Unexpected token\n" "" ""
+
 # testing "description" "command" "result" "infile" "stdin"
 testing 'awk negative field access' \
         'awk 2>&1 -- '\''{ $(-1) }'\' \