From e9eda5d5df167c722426ba741342db58e2cdae12 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Sat, 13 Jun 2026 18:36:53 +1000
Subject: [PATCH] wildtest: don't read past the buffer when scanning a test
 line

main()'s line parser stepped through the fgets() buffer with `*++s` in
three places without first checking for the terminating NUL, so a test
line whose last token runs to the end of the buffer (e.g. a final line
with no trailing newline) could advance s past the NUL and read out of
bounds.

Guard the flag-separator check and rewrite the two whitespace-skip loops
so they never step past the NUL. No behaviour change for well-formed
input: the existing wildtest.txt still passes, and the crafted overflow
input is now clean under valgrind.

Fixes #776
Reported-by: vikk777 (@vikk777)
---
 wildtest.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/wildtest.c b/wildtest.c
index 381ac59d..10cab003 100644
--- a/wildtest.c
+++ b/wildtest.c
@@ -163,14 +163,17 @@ main(int argc, char **argv)
 		flag[i] = 0;
 	    else
 		flag[i] = -1;
-	    if (*++s != ' ' && *s != '\t')
+	    if (!*s || (*++s != ' ' && *s != '\t'))
 		flag[i] = -1;
 	    if (flag[i] < 0) {
 		fprintf(stderr, "Invalid flag syntax on line %d of %s:\n%s",
 			line, *argv, buf);
 		exit(1);
 	    }
-	    while (*++s == ' ' || *s == '\t') {}
+	    if (*s)
+		s++;
+	    while (*s == ' ' || *s == '\t')
+		s++;
 	}
 	for (i = 0; i <= 1; i++) {
 	    if (*s == '\'' || *s == '"' || *s == '`') {
@@ -194,7 +197,10 @@ main(int argc, char **argv)
 		while (*++s && *s != ' ' && *s != '\t' && *s != '\n') {}
 		end[i] = s;
 	    }
-	    while (*++s == ' ' || *s == '\t') {}
+	    if (*s)
+		s++;
+	    while (*s == ' ' || *s == '\t')
+		s++;
 	}
 	*end[0] = *end[1] = '\0';
 	run_test(line, flag[0],
-- 
2.47.3