From db66ae9d0b74cc1d46a70d47ac1f5f090f11e35e Mon Sep 17 00:00:00 2001
From: Ray Gardner <raygard@gmail.com>
Date: Tue, 1 Oct 2024 17:49:06 -0600
Subject: [PATCH] Fix out-of-bounds memory access in splitter()

splitter() was attempting to access a string-valued regex when a literal regex was supplied. Fixed.
---
 toys/pending/awk.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/toys/pending/awk.c b/toys/pending/awk.c
index 37a38963..a2a26cc4 100644
--- a/toys/pending/awk.c
+++ b/toys/pending/awk.c
@@ -2739,10 +2739,14 @@ static int splitter(void (*setter)(struct zmap *, int, char *, size_t), struct z
   regex_t *rx;
   regoff_t offs, end;
   int multiline_null_rs = !ENSURE_STR(&STACK[RS])->vst->str[0];
-  if (!IS_RX(zvfs)) to_str(zvfs);
-  char *s0 = s, *fs = IS_STR(zvfs) ? zvfs->vst->str : "";
-  int one_char_fs = utf8cnt(zvfs->vst->str, zvfs->vst->size) == 1;
   int nf = 0, r = 0, eflag = 0;
+  int one_char_fs = 0;
+  char *s0 = s, *fs = "";
+  if (!IS_RX(zvfs)) {
+    to_str(zvfs);
+    fs = zvfs->vst->str;
+    one_char_fs = utf8cnt(zvfs->vst->str, zvfs->vst->size) == 1;
+  }
   // Empty string or empty fs (regex).
   // Need to include !*s b/c empty string, otherwise
   // split("", a, "x") splits to a 1-element (empty element) array
-- 
2.39.5