From 0858783cc469c095d7e6121d1fc5689760da841e Mon Sep 17 00:00:00 2001
From: Steve Bennett <steveb@workware.net.au>
Date: Fri, 26 May 2017 14:22:48 +1000
Subject: scan: validate -ve XPG3 specifier

Reported-by: Ryan Whitworth <me@ryanwhitworth.com>
Signed-off-by: Steve Bennett <steveb@workware.net.au>
---
 jim.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'jim.c')

diff --git a/jim.c b/jim.c
index f4e1d54..f070526 100644
--- a/jim.c
+++ b/jim.c
@@ -9516,6 +9516,11 @@ static int SetScanFmtFromAny(Jim_Interp *interp, Jim_Obj *objPtr)
                         return JIM_ERR;
                     }
                 }
+                if (descr->pos < 0) {
+                    fmtObj->error =
+                        "\"%n$\" conversion specifier is negative";
+                    return JIM_ERR;
+                }
                 /* Try to find a width after the XPG3 specifier */
                 if (sscanf(fmt, "%d%n", &width, &skip) == 1) {
                     descr->width = width;
-- 
cgit v1.1