If this is the last expression, then the runaway flag is set on and
evaluation bails in the next iteration, do not fetch next list element
which refers to the list head.
I found this by code inspection, I could not trigger any crash with this
one.
Fixes: ae1d54d1343f ("evaluate: do not crash on runaway number of concatenation components")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/evaluate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 6405d55647fa..8ef1b5e39bdc 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1621,8 +1621,8 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
if (key && expressions) {
if (list_is_last(&key->list, expressions))
runaway = true;
-
- key = list_next_entry(key, list);
+ else
+ key = list_next_entry(key, list);
}
ctx->inner_desc = NULL;
--
2.30.2
