The current implementation does not account for a
trailing backslash followed by a null-byte. If a
null-byte is encountered following a backslash,
normalize() will continue reading (and potentially
writing) into garbage memory ignoring the EOS
null-byte.

Signed-off-by: Sohom Datta <sohomdatta1+git@gmail.com>
---
 tools/perf/util/expr.l | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/expr.l b/tools/perf/util/expr.l
index 0168a9637330..d47de5f270a8 100644
--- a/tools/perf/util/expr.l
+++ b/tools/perf/util/expr.l
@@ -42,8 +42,11 @@ static char *normalize(char *str, int runtime)
 	char *dst = str;
 
 	while (*str) {
-		if (*str == '\\')
+		if (*str == '\\') {
 			*dst++ = *++str;
+			if (!*str)
+				break;
+		}
 		else if (*str == '?') {
 			char *paramval;
 			int i = 0;
-- 
2.38.1

On Sun, Dec 04, 2022 at 04:28:35PM +0530, Sohom Datta wrote:
> The current implementation does not account for a
> trailing backslash followed by a null-byte. If a
> null-byte is encountered following a backslash,
> normalize() will continue reading (and potentially
> writing) into garbage memory ignoring the EOS
> null-byte.
> 
> Signed-off-by: Sohom Datta <sohomdatta1+git@gmail.com>

Acked-by: Jiri Olsa <jolsa@kernel.org>

thanks,
jirka

> ---
>  tools/perf/util/expr.l | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/perf/util/expr.l b/tools/perf/util/expr.l
> index 0168a9637330..d47de5f270a8 100644
> --- a/tools/perf/util/expr.l
> +++ b/tools/perf/util/expr.l
> @@ -42,8 +42,11 @@ static char *normalize(char *str, int runtime)
>  	char *dst = str;
>  
>  	while (*str) {
> -		if (*str == '\\')
> +		if (*str == '\\') {
>  			*dst++ = *++str;
> +			if (!*str)
> +				break;
> +		}
>  		else if (*str == '?') {
>  			char *paramval;
>  			int i = 0;
> -- 
> 2.38.1
>