From 81b8dcdeb2e58d3b924dd66f442b68c05a6f54cc Mon Sep 17 00:00:00 2001
From: Jilles Tjoelker <jilles@irssi.org>
Date: Wed, 17 Nov 2010 20:41:14 +0000
Subject: [PATCH] Do not go beyond the end of the string when processing an
 octal escape.

This code is used, for example, when /set expand_escapes on.

I can't reproduce crashes but I can reproduce garbage if I type a\1.

bug #775


git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5195 dbcabf3a-b0e7-0310-adc4-f8d773084564
---
 src/core/misc.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/core/misc.c b/src/core/misc.c
index 986e10f3..7c930e3f 100644
--- a/src/core/misc.c
+++ b/src/core/misc.c
@@ -756,17 +756,22 @@ int expand_escape(const char **data)
                 /* control character (\cA = ^A) */
                 (*data)++;
 		return i_toupper(**data) - 64;
-	default:
-		if (!i_isdigit(**data))
-			return -1;
-
+	case '0': case '1': case '2': case '3':
+	case '4': case '5': case '6': case '7':
                 /* octal */
+		digit[1] = digit[2] = digit[3] = '\0';
                 digit[0] = (*data)[0];
-                digit[1] = (*data)[1];
-		digit[2] = (*data)[2];
-                digit[3] = '\0';
-		*data += 2;
+		if ((*data)[1] >= '0' && (*data)[1] <= '7') {
+			++*data;
+			digit[1] = **data;
+			if ((*data)[1] >= '0' && (*data)[1] <= '7') {
+				++*data;
+				digit[2] = **data;
+			}
+		}
 		return strtol(digit, NULL, 8);
+	default:
+		return -1;
 	}
 }