On 10/16/14 20:45, Per Hedbor () @ Pike (-) developers forum wrote:
overflows the string if it encounters a truncated sequence, e.g. a trailing % or %u with less than 4 hex chars.
The old code relied on the null character after the last character in the string, but that changed when it started to accept widestrings.
The actual decoding code has (and had) proper length checks, but the code scanning for the resulting string length did access out of bounds (even after the null byte). Its not so very likely to actually generate a segfault, but depending on where it has being allocated, that could happen.
if (foo[2] != '0' || foo[3] != '0') {
If the string ends with %u, foo[2] would be the trailing null.
I commited a fix to 8.1, but it will throw an error if a truncated sequence is encountered. If that is not what we want for compatibility reasons, I can revert that and just make sure the code does not read after the null.
arne