This fixes a memory corruption due to write access out of
bounds of token array, whose size was computed incorrectly.
It was assumed that only '%' characters separate tokens,
which could lead to crashes on useless uses of '[' tokens,
such as "rpm -qa --qf '[]lalala'".
numTokens = 0;
if (str != NULL)
for (chptr = str; *chptr != '\0'; chptr++)
- if (*chptr == '%') numTokens++;
+ if (*chptr == '%' || *chptr == '[') numTokens++;
numTokens = numTokens * 2 + 1;
format = xcalloc(numTokens, sizeof(*format));