From 1890d59905414ab84a35892b2e45833654aa5c13 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Sat, 11 Mar 2017 10:59:34 +0100
Subject: tool_writeout: fixed a buffer read overrun on --write-out

If a % ended the statement, the string's trailing NUL would be skipped
and memory past the end of the buffer would be accessed and potentially
displayed as part of the --write-out output. Added tests 1440 and 1441
to check for this kind of condition.

Reported-by: Brian Carpenter
---
 src/tool_writeout.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/tool_writeout.c b/src/tool_writeout.c
index 2fb77742a..7843182f2 100644
--- a/src/tool_writeout.c
+++ b/src/tool_writeout.c
@@ -113,7 +113,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
   double doubleinfo;
 
   while(ptr && *ptr) {
-    if('%' == *ptr) {
+    if('%' == *ptr && ptr[1]) {
       if('%' == ptr[1]) {
         /* an escaped %-letter */
         fputc('%', stream);
-- 
cgit v1.2.3