ref: d54b703cae9c5e7d5cf0f251bc847d38a70170c4
parent: c0f4e97e4561ff42544e92512bbaf3d7d1f6a671
author: Todd C. Miller <Todd.Miller@sudo.ws>
date: Tue Mar 2 07:58:50 EST 2021
Fix size computation in replace_repeat() for special_case REPEAT_WITH_Q.
This resulted in the NUL terminator being written to the end of the
buffer which was not the same as the end of the string. That in
turn caused garbage bytes from malloc() to be processed. Also
change the NUL termination to be less error prone by writing the
NUL immediately after the last byte copied.
Reproducible with the following under valgrind:
echo '#!/usr/bin/awk' | awk \
'/^#! ?\/.*\/[a-z]{0,2}awk/ {sub(/^#! ?\/.*\/[a-z]{0,2}awk/,"#! awk"); print}'
--- a/b.c
+++ b/b.c
@@ -935,7 +935,7 @@
if (special_case == REPEAT_PLUS_APPENDED) {size++; /* for the final + */
} else if (special_case == REPEAT_WITH_Q) {- size += init_q + (atomlen+1)* n_q_reps;
+ size += init_q + (atomlen+1)* (n_q_reps-init_q);
} else if (special_case == REPEAT_ZERO) {size += 2; /* just a null ERE: () */
}
@@ -964,11 +964,8 @@
}
}
memcpy(&buf[j], reptok+reptoklen, suffix_length);
- if (special_case == REPEAT_ZERO) {- buf[j+suffix_length] = '\0';
- } else {- buf[size] = '\0';
- }
+ j += suffix_length;
+ buf[j] = '\0';
/* free old basestr */
if (firstbasestr != basestr) {if (basestr)
--
⑨