Fix memory allocation for token array

This fixes a memory corruption due to write access out of
bounds of token array, whose size was computed incorrectly.
It was assumed that only '%' characters separate tokens,
which could lead to crashes on useless uses of '[' tokens,
such as "rpm -qa --qf '[]lalala'".

diff --git a/lib/headerfmt.c b/lib/headerfmt.c
index 569bc0e..d395658 100644 (file)
--- a/lib/headerfmt.c
+++ b/lib/headerfmt.c
@@ -296,7 +296,7 @@ static int parseFormat(headerSprintfArgs hsa, char * str,
     numTokens = 0;
     if (str != NULL)
     for (chptr = str; *chptr != '\0'; chptr++)
-       if (*chptr == '%') numTokens++;
+       if (*chptr == '%' || *chptr == '[') numTokens++;
     numTokens = numTokens * 2 + 1;
 
     format = xcalloc(numTokens, sizeof(*format));