From 150986c922c7dac59d6ca7253c3a7bd2ff6ee5b8 Mon Sep 17 00:00:00 2001
From: Ron Yorston <rmy@pobox.com>
Date: Thu, 9 Sep 2021 08:15:31 +0100
Subject: awk: fix read beyond end of buffer

Commit 7d06d6e18 (awk: fix printf %%) can cause awk printf to read
beyond the end of a strduped buffer:

  2349      while (*f && *f != '%')
  2350          f++;
  2351      c = *++f;

If the loop terminates because a NUL character is detected the
character after the NUL is read.  This can result in failures
depending on the value of that character.

function                                             old     new   delta
awk_printf                                           672     665      -7

Signed-off-by: Ron Yorston <rmy@pobox.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
 editors/awk.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/editors/awk.c b/editors/awk.c
index f7b8ef0d3..3594717b1 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -2348,17 +2348,19 @@ static char *awk_printf(node *n, size_t *len)
 		s = f;
 		while (*f && *f != '%')
 			f++;
-		c = *++f;
-		if (c == '%') { /* double % */
-			slen = f - s;
-			s = xstrndup(s, slen);
-			f++;
-			goto tail;
-		}
-		while (*f && !isalpha(*f)) {
-			if (*f == '*')
-				syntax_error("%*x formats are not supported");
-			f++;
+		if (*f) {
+			c = *++f;
+			if (c == '%') { /* double % */
+				slen = f - s;
+				s = xstrndup(s, slen);
+				f++;
+				goto tail;
+			}
+			while (*f && !isalpha(*f)) {
+				if (*f == '*')
+					syntax_error("%*x formats are not supported");
+				f++;
+			}
 		}
 		c = *f;
 		if (!c) {
-- 
cgit v1.2.3-55-g6feb