[PATCH] dc: Parse error & fix out of bounds read in xc_program_printString

[Brian Foley]

Using '92 a' or [\] or [q\] we can construct a string of a single \,
or a trailing \ and this causes printString to read beyond the end of
the string, producing an error with Asan, and a stack undeflow with
production binaries.
---
 miscutils/bc.c     |  6 ++++--
 testsuite/dc.tests | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/miscutils/bc.c b/miscutils/bc.c
index e866f5b4f..984c7077e 100644
--- a/miscutils/bc.c
+++ b/miscutils/bc.c
@@ -5456,11 +5456,13 @@ static void xc_program_printString(const char *str)
 			char *n;
 
 			c = *str++;
-			n = strchr(esc, c); // note: c can be NUL
-			if (!n) {
+			n = strchr(esc, c); // note: if c is NUL, n = \0 at end of esc
+			if (!n || !c) {
 				// Just print the backslash and following character
 				bb_putchar('\\');
 				++G.prog.nchars;
+				// But if we're at the end of the string, stop
+				if (!c) break;
 			} else {
 				if (n - esc == 0) // "\n" ?
 					G.prog.nchars = SIZE_MAX;
diff --git a/testsuite/dc.tests b/testsuite/dc.tests
index 65b71101d..4ed41cabe 100755
--- a/testsuite/dc.tests
+++ b/testsuite/dc.tests
@@ -56,6 +56,25 @@ testing "dc: x should work with strings created from a" \
 	"42\n" \
 	"" ""
 
+testing "dc: p should print invalid escapes" \
+	"dc -e '[\q] p'" \
+	"\\q\n" \
+	"" ""
+
+testing "dc: p should print trailing backslashes" \
+	"dc -e '[q\] p'" \
+	"q\\\\\n" \
+	"" ""
+
+testing "dc: p should parse/print single backslashes" \
+	"dc -e '[\] p'" \
+	"\\\\\n" \
+	"" ""
+
+testing "dc: p should print single backslash strings" \
+	"dc -e '92 a p'" \
+	"\\\\\n" \
+	"" ""
 
 optional FEATURE_DC_BIG
 # All tests below depend on FEATURE_DC_BIG
-- 
2.17.1