From 9d2fefeac4139cad060b6b61871a22ccf11c964e Mon Sep 17 00:00:00 2001
From: tg <tg@mirbsd.org>
Date: Tue, 4 Dec 2012 01:11:17 +0000
Subject: [PATCH] Be more careful with string array bounds! Found by LLVM+Clang
 scan-build.

---
 shf.c | 9 ++++-----
 var.c | 5 ++++-
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/shf.c b/shf.c
index 4b0f158..aaa8fd2 100644
--- a/shf.c
+++ b/shf.c
@@ -24,7 +24,7 @@
 
 #include "sh.h"
 
-__RCSID("$MirOS: src/bin/mksh/shf.c,v 1.47 2012/10/03 16:16:15 tg Exp $");
+__RCSID("$MirOS: src/bin/mksh/shf.c,v 1.48 2012/12/04 01:11:16 tg Exp $");
 
 /* flags to shf_emptybuf() */
 #define EB_READSW	0x01	/* about to switch to reading */
@@ -971,14 +971,13 @@ shf_vfprintf(struct shf *shf, const char *fmt, va_list args)
 
 		case 'c':
 			flags &= ~FL_DOT;
-			numbuf[0] = (char)(VA(int));
-			s = numbuf;
-			len = 1;
-			break;
+			c = (char)(VA(int));
+			/* FALLTHROUGH */
 
 		case '%':
 		default:
 			numbuf[0] = c;
+			numbuf[1] = 0;
 			s = numbuf;
 			len = 1;
 			break;
diff --git a/var.c b/var.c
index 626a993..5ce3f21 100644
--- a/var.c
+++ b/var.c
@@ -27,7 +27,7 @@
 #include <sys/sysctl.h>
 #endif
 
-__RCSID("$MirOS: src/bin/mksh/var.c,v 1.162 2012/12/01 01:36:30 tg Exp $");
+__RCSID("$MirOS: src/bin/mksh/var.c,v 1.163 2012/12/04 01:11:17 tg Exp $");
 
 /*-
  * Variables
@@ -615,10 +615,13 @@ formatstr(struct tbl *vp, const char *s)
 				--slen;
 			}
 			if (vp->flag & ZEROFIL && vp->flag & INTEGER) {
+				if (!s[0] || !s[1])
+					goto uhm_no;
 				if (s[1] == '#')
 					n = 2;
 				else if (s[2] == '#')
 					n = 3;
+ uhm_no:
 				if (vp->u2.field <= n)
 					n = 0;
 			}