From 96a5ed118ce8ad1aaf7889b9eff599bb4517aa49 Mon Sep 17 00:00:00 2001
From: Andy Chu <andychup@gmail.com>
Date: Sun, 6 Mar 2016 09:49:50 -0800
Subject: Fix segfault in sed -e 'c\'.

Found by afl-fuzz.
---
 tests/sed.test   | 3 +++
 toys/posix/sed.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/sed.test b/tests/sed.test
index 280b466a..ec06baae 100755
--- a/tests/sed.test
+++ b/tests/sed.test
@@ -77,6 +77,9 @@ testing "c {range}" "sed -e '2,4{c blah' -e '}'" \
         "" "one\ntwo\nthree\nfour\nfive\nsix"
 testing "c multiple continuation" \
 	"sed -e 'c\\' -e 'two\\' -e ''" "two\n\n" "" "hello"
+# NOTE: will print 'unfinished c' to stderr and exit 1
+testing "c empty continuation" \
+	"sed -e 'c\\'" "" "" "hello"
 testing "D further processing depends on whether line is blank" \
 	"sed -e '/one/,/three/{' -e 'i meep' -e'N;2D;}'" \
 	"meep\nmeep\ntwo\nthree\n" "" "one\ntwo\nthree\n"
diff --git a/toys/posix/sed.c b/toys/posix/sed.c
index 9b5e6664..3def9d40 100644
--- a/toys/posix/sed.c
+++ b/toys/posix/sed.c
@@ -764,7 +764,7 @@ static void jewel_of_judgement(char **pline, long len)
   // Append additional line to pattern argument string?
   // We temporarily repurpose "hit" to indicate line continuations
   if (corwin && corwin->prev->hit) {
-    if (!*pline) error_exit("unfinished %c", corwin->prev->c);;
+    if (!pline || !*pline) error_exit("unfinished %c", corwin->prev->c);;
     // Remove half-finished entry from list so remalloc() doesn't confuse it
     TT.pattern = TT.pattern->prev;
     corwin = dlist_pop(&TT.pattern);
-- 
cgit v1.2.3