From 9b3a2924101c4e17dbb9c0b8745dc4eb9cdca910 Mon Sep 17 00:00:00 2001
From: Jun-ichi Takimoto <takimoto-j@kba.biglobe.ne.jp>
Date: Mon, 19 Jul 2021 09:13:03 +0900
Subject: 49166: fix coredump in ${name:offset:length} with ill-formatted
 length

---
 Src/subst.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'Src/subst.c')

diff --git a/Src/subst.c b/Src/subst.c
index 87a56c3c6..465fe970f 100644
--- a/Src/subst.c
+++ b/Src/subst.c
@@ -3362,13 +3362,15 @@ colonsubscript:
 		    return NULL;
 		}
 		if (*check_offset2) {
+		    char *nextp;
 		    check_offset = check_colon_subscript(check_offset2 + 1,
-							 &check_offset2);
-		    if (*check_offset2 && *check_offset2 != ':') {
-			zerr("invalid length: %s", check_offset);
-			return NULL;
-		    }
+							 &nextp);
 		    if (check_offset) {
+			check_offset2 = nextp;
+			if (*check_offset2 && *check_offset2 != ':') {
+			    zerr("invalid length: %s", check_offset);
+			    return NULL;
+			}
 			length = mathevali(check_offset);
 			length_set = 1;
 			if (errflag)
-- 
cgit 1.4.1