From 353f31751d12f2dcee1295720f76c35f35067154 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 28 Mar 2011 12:54:41 -0400
Subject: [PATCH] Avoid a NULL deref on unrecognized escapes. Collapse %% -> %
 like strftime() does.

---
 plugins/sudoers/iolog_path.c            | 27 +++++++++++++++----------
 plugins/sudoers/regress/iolog_path/data | 24 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/plugins/sudoers/iolog_path.c b/plugins/sudoers/iolog_path.c
index 826f9fbdf..74f5fdff1 100644
--- a/plugins/sudoers/iolog_path.c
+++ b/plugins/sudoers/iolog_path.c
@@ -197,19 +197,24 @@ expand_iolog_path(const char *prefix, const char *dir, const char *file,
 				esc->name[len] == '\0')
 				break;
 			}
-			for (;;) {
-			    len = esc->copy_fn(dst, psize - (dst - path));
-			    if (len < psize - (dst - path))
-				break;
-			    path = erealloc3(path, 2, psize);
-			    psize *= 2;
-			    dst = path + plen;
+			if (esc->name != NULL) {
+			    for (;;) {
+				len = esc->copy_fn(dst, psize - (dst - path));
+				if (len < psize - (dst - path))
+				    break;
+				path = erealloc3(path, 2, psize);
+				psize *= 2;
+				dst = path + plen;
+			    }
+			    dst += len;
+			    plen += len;
+			    src = ep;
+			    continue;
 			}
-			dst += len;
-			plen += len;
-			src = ep;
-			continue;
 		    }
+		} else if (src[1] == '%') {
+		    /* Collapse %% -> % */
+		    src++;
 		} else {
 		    /* May need strftime() */
 		    strfit = 1;
diff --git a/plugins/sudoers/regress/iolog_path/data b/plugins/sudoers/regress/iolog_path/data
index afcd54606..e2877b2b7 100644
--- a/plugins/sudoers/regress/iolog_path/data
+++ b/plugins/sudoers/regress/iolog_path/data
@@ -1,3 +1,27 @@
+000001
+nobody
+1
+root
+0
+somehost
+id
+/var/log/sudo-io
+%%{bogus}
+/var/log/sudo-io
+%%{bogus}
+
+000001
+nobody
+1
+root
+0
+somehost
+id
+/var/log/sudo-io
+%%{seq}
+/var/log/sudo-io
+%%{seq}
+
 000001
 nobody
 1
-- 
2.40.0