On Tue, 02 Mar 2021 17:09:49 +0000, Stuart Henderson wrote:
> Oh, I should have cc'd Todd on this. Any ideas?
That smells like an uninitialized variable bug.
This is relatively recent code from Apple via NetBSD.
The following appears to fix it. Basically the NUL terminator was
being written to the end of the allocation but if we didn't fill
the entire thing then malloc junk bytes could be processed.
- todd
Index: usr.bin/awk/b.c
===================================================================
RCS file: /cvs/src/usr.bin/awk/b.c,v
retrieving revision 1.35
diff -u -p -u -r1.35 b.c
--- usr.bin/awk/b.c 9 Dec 2020 20:00:11 -0000 1.35
+++ usr.bin/awk/b.c 2 Mar 2021 19:37:24 -0000
@@ -971,11 +971,8 @@ replace_repeat(const uschar *reptok, int
}
}
memcpy(&buf[j], reptok+reptoklen, suffix_length);
- if (special_case == REPEAT_ZERO) {
- buf[j+suffix_length] = '\0';
- } else {
- buf[size] = '\0';
- }
+ j += suffix_length;
+ buf[j] = '\0';
/* free old basestr */
if (firstbasestr != basestr) {
if (basestr)
