On Tue, 02 Mar 2021 17:09:49 +0000, Stuart Henderson wrote: > Oh, I should have cc'd Todd on this. Any ideas?
That smells like an uninitialized variable bug. This is relatively recent code from Apple via NetBSD. The following appears to fix it. Basically the NUL terminator was being written to the end of the allocation but if we didn't fill the entire thing then malloc junk bytes could be processed. - todd Index: usr.bin/awk/b.c =================================================================== RCS file: /cvs/src/usr.bin/awk/b.c,v retrieving revision 1.35 diff -u -p -u -r1.35 b.c --- usr.bin/awk/b.c 9 Dec 2020 20:00:11 -0000 1.35 +++ usr.bin/awk/b.c 2 Mar 2021 19:37:24 -0000 @@ -971,11 +971,8 @@ replace_repeat(const uschar *reptok, int } } memcpy(&buf[j], reptok+reptoklen, suffix_length); - if (special_case == REPEAT_ZERO) { - buf[j+suffix_length] = '\0'; - } else { - buf[size] = '\0'; - } + j += suffix_length; + buf[j] = '\0'; /* free old basestr */ if (firstbasestr != basestr) { if (basestr)