tr: fix yet another access past the end of a string (bug 4374)

author Denis Vlasenko <vda.linux@googlemail.com>

Wed, 30 Jul 2008 22:58:18 +0000 (22:58 -0000)

committer Denis Vlasenko <vda.linux@googlemail.com>

Wed, 30 Jul 2008 22:58:18 +0000 (22:58 -0000)
author Denis Vlasenko <vda.linux@googlemail.com>
Wed, 30 Jul 2008 22:58:18 +0000 (22:58 -0000)
committer Denis Vlasenko <vda.linux@googlemail.com>
Wed, 30 Jul 2008 22:58:18 +0000 (22:58 -0000)
diff --git a/coreutils/tr.c b/coreutils/tr.c

index 860b8122bb7027d3ee5c6bcf961eb25139571ee7..c736c716b229681f4e7a4895bac69709585c0941 100644 (file)
--- a/coreutils/tr.c
+++ b/coreutils/tr.c
@@ -145,12 +145,14 @@ static unsigned int expand(const char *arg, char *buffer)
                                 arg--; /* points to x */
                                 continue; /* copy all, including eventual ']' */
                         }
-                       /* [x-y...] */
-                       arg++;
+                       /* [x-z] */
+                       arg++; /* skip - */
+                       if (arg[0] == '\0' || arg[1] != ']')
+                               bb_show_usage();
                         ac = *arg++;
                         while (i <= ac)
                                 *buffer++ = i++;
-                       arg++;  /* skip the assumed ']' */
+                       arg++;  /* skip ] */
                         continue;
                 }
                 *buffer++ = *arg++;
author	Denis Vlasenko <vda.linux@googlemail.com>
	Wed, 30 Jul 2008 22:58:18 +0000 (22:58 -0000)
committer	Denis Vlasenko <vda.linux@googlemail.com>
	Wed, 30 Jul 2008 22:58:18 +0000 (22:58 -0000)