From 2d647098c803620aab2a7ca94007441e060451d3 Mon Sep 17 00:00:00 2001
From: Alexey Tourbin <alexey.tourbin@gmail.com>
Date: Thu, 7 Feb 2013 03:44:41 +0000
Subject: [PATCH] Fixed buffer problems in doShellEscape

When the output from a command is empty, nothing stops doShellEscape from
chopping newlines past the beginning of the buffer.  This problem was first
identified by Dmitry V. Levin in July 2009.

Also, there is an off-by-one error in replacing trailing '\n' with '\0'.
This problem, however, escaped the attention of Dmitry V. Levin in July 2009.

Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
---
 rpmio/macro.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/rpmio/macro.c b/rpmio/macro.c
index 922958032..7ef216109 100644
--- a/rpmio/macro.c
+++ b/rpmio/macro.c
@@ -480,14 +480,16 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen)
 	rc = 1;
 	goto exit;
     }
+
+    size_t tpos = mb->tpos;
     while((c = fgetc(shf)) != EOF) {
 	mbAppend(mb, c);
     }
     (void) pclose(shf);
 
-    /* XXX delete trailing \r \n */
-    while (iseol(mb->buf[mb->tpos-1])) {
-	mb->buf[mb->tpos--] = '\0';
+    /* Delete trailing \r \n */
+    while (mb->tpos > tpos && iseol(mb->buf[mb->tpos-1])) {
+	mb->buf[--mb->tpos] = '\0';
 	mb->nb++;
     }