Fix an out-of-bounds read in fgetline().

Forgot that a zero-length string might have come back from fgets.

Thanks to Hanno Böck for spotting this, with the aid of AFL.

(cherry picked from commit 5815d6a65af992881f5462097c9320f3a4716e0c)

diff --git a/misc.c b/misc.c
index d3a67f66ff8c8f55214e6af531fa5a2c1b700175..d40f99017e74284ccacccb930ebb4dab9d750e73 100644 (file)
--- a/misc.c
+++ b/misc.c
@@ -459,7 +459,7 @@ char *fgetline(FILE *fp)
     int size = 512, len = 0;
     while (fgets(ret + len, size - len, fp)) {
        len += strlen(ret + len);
-       if (ret[len-1] == '\n')
+       if (len > 0 && ret[len-1] == '\n')
            break;                     /* got a newline, we're done */
        size = len + 512;
        ret = sresize(ret, size, char);