Commit 7d06d6e18 (awk: fix printf %%) can cause awk printf to read beyond the end of a strduped buffer:
2349 while (*f && *f != '%') 2350 f++; 2351 c = *++f; If the loop terminates because a NUL character is detected the character after the NUL is read. This can result in failures depending on the value of that character. function old new delta awk_printf 736 706 -30 Signed-off-by: Ron Yorston <[email protected]> --- editors/awk.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/editors/awk.c b/editors/awk.c index f7b8ef0d3..3594717b1 100644 --- a/editors/awk.c +++ b/editors/awk.c @@ -2348,17 +2348,19 @@ static char *awk_printf(node *n, size_t *len) s = f; while (*f && *f != '%') f++; - c = *++f; - if (c == '%') { /* double % */ - slen = f - s; - s = xstrndup(s, slen); - f++; - goto tail; - } - while (*f && !isalpha(*f)) { - if (*f == '*') - syntax_error("%*x formats are not supported"); - f++; + if (*f) { + c = *++f; + if (c == '%') { /* double % */ + slen = f - s; + s = xstrndup(s, slen); + f++; + goto tail; + } + while (*f && !isalpha(*f)) { + if (*f == '*') + syntax_error("%*x formats are not supported"); + f++; + } } c = *f; if (!c) { -- 2.31.1 _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
