In the loop, when iterating through the array, there was no check whether an
element of the array goes beyond its limits. And with certain input data,
there is an outflow from the array.
---
builtins/printf.def | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/builtins/printf.def b/builtins/printf.def
index 23cb8cd1..81f63e33 100644
--- a/builtins/printf.def
+++ b/builtins/printf.def
@@ -1024,7 +1024,7 @@ bexpand (string, len, sawc, lenp)
}
ret = (char *)xmalloc (len + 1);
- for (r = ret, s = string; s && *s; )
+ for (r = ret, s = string; s && *s && r - ret < len; )
{
c = *s++;
if (c != '\\' || *s == '\0')
--
2.42.2
