Update awk to Sep 12, 2022 version.

Fix undefined behavior and a use-after-free in cat().

4 files changed, 13 insertions, 8 deletions

diff --git a/usr.bin/awk/FIXES b/usr.bin/awk/FIXES
index ec76a4ee1b8..fdf782e6295 100644
--- a/usr.bin/awk/FIXES
+++ b/usr.bin/awk/FIXES
@@ -25,6 +25,11 @@ THIS SOFTWARE.
 This file lists all bug fixes, changes, etc., made since the AWK book
 was sent to the printers in August 1987.
 
+Sep 12, 2022:
+	adjbuf minlen error (cannot be 0) in cat, resulting in NULL pbuf.
+	discovered by todd miller. also use-after-free issue with
+	tempfree in cat, thanks to Miguel Pineiro Jr and valgrind.
+
 Aug 30, 2022:
 	Various leaks and use-after-free issues plugged/fixed.
 	Thanks to Miguel Pineiro Jr. <mpj@pineiro.cc>.
diff --git a/usr.bin/awk/main.c b/usr.bin/awk/main.c
index 6edec091924..4b057660c1f 100644
--- a/usr.bin/awk/main.c
+++ b/usr.bin/awk/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.55 2022/09/01 15:21:28 millert Exp $	*/
+/*	$OpenBSD: main.c,v 1.56 2022/09/21 01:42:58 millert Exp $	*/
 /****************************************************************
 Copyright (C) Lucent Technologies 1997
 All Rights Reserved
@@ -23,7 +23,7 @@ ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
 THIS SOFTWARE.
 ****************************************************************/
 
-const char	*version = "version 20220830";
+const char	*version = "version 20220912";
 
 #define DEBUG
 #include <stdio.h>
diff --git a/usr.bin/awk/run.c b/usr.bin/awk/run.c
index 055159584c4..5d87b43e8e6 100644
--- a/usr.bin/awk/run.c
+++ b/usr.bin/awk/run.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: run.c,v 1.73 2022/09/01 15:21:28 millert Exp $	*/
+/*	$OpenBSD: run.c,v 1.74 2022/09/21 01:42:59 millert Exp $	*/
 /****************************************************************
 Copyright (C) Lucent Technologies 1997
 All Rights Reserved
@@ -1198,16 +1198,17 @@ Cell *cat(Node **a, int q)	/* a[0] cat a[1] */
 
 	x = execute(a[0]);
 	n1 = strlen(getsval(x));
-	adjbuf(&s, &ssz, n1, recsize, 0, "cat1");
+	adjbuf(&s, &ssz, n1 + 1, recsize, 0, "cat1");
 	memcpy(s, x->sval, n1);
 
+	tempfree(x);
+
 	y = execute(a[1]);
 	n2 = strlen(getsval(y));
 	adjbuf(&s, &ssz, n1 + n2 + 1, recsize, 0, "cat2");
 	memcpy(s + n1, y->sval, n2);
 	s[n1 + n2] = '\0';
 
-	tempfree(x);
 	tempfree(y);
 
 	z = gettemp();
diff --git a/usr.bin/awk/tran.c b/usr.bin/awk/tran.c
index 6e8b159022c..0e4802ecbf9 100644
--- a/usr.bin/awk/tran.c
+++ b/usr.bin/awk/tran.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tran.c,v 1.35 2022/06/03 19:46:09 millert Exp $	*/
+/*	$OpenBSD: tran.c,v 1.36 2022/09/21 01:42:59 millert Exp $	*/
 /****************************************************************
 Copyright (C) Lucent Technologies 1997
 All Rights Reserved
@@ -566,7 +566,6 @@ Cell *catstr(Cell *a, Cell *b) /* concatenate a and b */
 
 char *qstring(const char *is, int delim)	/* collect string up to next delim */
 {
-	const char *os = is;
 	int c, n;
 	const uschar *s = (const uschar *) is;
 	uschar *buf, *bp;
@@ -575,7 +574,7 @@ char *qstring(const char *is, int delim)	/* collect string up to next delim */
 		FATAL( "out of space in qstring(%s)", s);
 	for (bp = buf; (c = *s) != delim; s++) {
 		if (c == '\n')
-			SYNTAX( "newline in string %.20s...", os );
+			SYNTAX( "newline in string %.20s...", is );
 		else if (c != '\\')
 			*bp++ = c;
 		else {	/* \something */