From 0f62e07c802e3fa58d1199f34fcf9772da70c264 Mon Sep 17 00:00:00 2001
From: Jun-ichi Takimoto <takimoto-j@kba.biglobe.ne.jp>
Date: Tue, 6 Apr 2021 23:05:03 +0900
Subject: 48389: getkeystring() should not return ptr to local var

Now it returns NULL if called with GETKEY_SINGLE_CHAR and next character
is not found. Caller must check the return value.
---
 Src/math.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'Src/math.c')

diff --git a/Src/math.c b/Src/math.c
index b57ba42d4..1d0d86639 100644
--- a/Src/math.c
+++ b/Src/math.c
@@ -840,13 +840,18 @@ zzlex(void)
 	    if (*ptr == '#') {
 		if (*++ptr == '\\' || *ptr == '#') {
 		    int v;
+		    char *optr = ptr;
 
 		    ptr++;
 		    if (!*ptr) {
 			zerr("bad math expression: character missing after ##");
 			return EOI;
 		    }
-		    ptr = getkeystring(ptr, NULL, GETKEYS_MATH, &v);
+		    if(!(ptr = getkeystring(ptr, NULL, GETKEYS_MATH, &v))) {
+			zerr("bad math expression: bad character after ##");
+			ptr = optr;
+			return EOI;
+		    }
 		    yyval.u.l = v;
 		    return NUM;
 		}
-- 
cgit v1.2.3