From: Matthew Fernandez <matthew.fernandez@gmail.com>
Date: Fri, 8 May 2020 02:52:59 +0000 (-0700)
Subject: fix out-of-bounds access with labels involving \
X-Git-Tag: 2.44.1~73^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cfd8364842fb0492e7d76e90de7cb6b607535999;p=graphviz

fix out-of-bounds access with labels involving \

The following input would result in entering these loops with str == "\":

  digraph structs {
  node [shape=record];
  struct1 [shape=record,label="<f0> left|<f1> mid\ dle|<f2> right"];
  struct2 [shape=record,label="<f0> one| two"];
  struct3 [shape=record,label="hello\nworld |{ b |{c|<h\re> d|e}| f}| g | h"];
  struct1 -> struct2;
  struct1 -> struct3;
  }

This would result in iterating past the end of the array. As reported by
@le3d1ng. Closes #1699.
---

diff --git a/lib/common/labels.c b/lib/common/labels.c
index 4714347d0..d2fab0176 100644
--- a/lib/common/labels.c
+++ b/lib/common/labels.c
@@ -356,7 +356,7 @@ static char *strdup_and_subst_obj0 (char *str, void *obj, int escBackslash)
      * total length for newstring required from malloc.
      */
     for (s = str; (c = *s++);) {
-	if (c == '\\') {
+	if (c == '\\' && *s != '\0') {
 	    switch (c = *s++) {
 	    case 'G':
 		newlen += g_len;
@@ -394,7 +394,7 @@ static char *strdup_and_subst_obj0 (char *str, void *obj, int escBackslash)
 
     /* second pass over str assembles new string */
     for (s = str, p = newstr; (c = *s++);) {
-	if (c == '\\') {
+	if (c == '\\' && *s != '\0') {
 	    switch (c = *s++) {
 	    case 'G':
 		for (t = g_str; (*p = *t++); p++);