fix out-of-bounds access with labels involving \

The following input would result in entering these loops with str == "\":

  digraph structs {
  node [shape=record];
  struct1 [shape=record,label="<f0> left|<f1> mid\ dle|<f2> right"];
  struct2 [shape=record,label="<f0> one| two"];
  struct3 [shape=record,label="hello\nworld |{ b |{c|<h\re> d|e}| f}| g | h"];
  struct1 -> struct2;
  struct1 -> struct3;
  }

This would result in iterating past the end of the array. As reported by
@le3d1ng. Closes #1699.

diff --git a/lib/common/labels.c b/lib/common/labels.c
index 4714347d092fdee3438d865bcd998b67ebe5547d..d2fab01762fe4b655d48421fb7ffcdb5e666e2b8 100644 (file)
--- a/lib/common/labels.c
+++ b/lib/common/labels.c
@@ -356,7 +356,7 @@ static char *strdup_and_subst_obj0 (char *str, void *obj, int escBackslash)
      * total length for newstring required from malloc.
      */
     for (s = str; (c = *s++);) {
-       if (c == '\\') {
+       if (c == '\\' && *s != '\0') {
            switch (c = *s++) {
            case 'G':
                newlen += g_len;
@@ -394,7 +394,7 @@ static char *strdup_and_subst_obj0 (char *str, void *obj, int escBackslash)
 
     /* second pass over str assembles new string */
     for (s = str, p = newstr; (c = *s++);) {
-       if (c == '\\') {
+       if (c == '\\' && *s != '\0') {
            switch (c = *s++) {
            case 'G':
                for (t = g_str; (*p = *t++); p++);