Fix crash on expanding command line strings

5 files changed, 8 insertions, 1 deletions

diff --git a/src/command_manager.cc b/src/command_manager.cc
index ac6ef56a..8d400a64 100644
--- a/src/command_manager.cc
+++ b/src/command_manager.cc
@@ -168,6 +168,7 @@ void skip_blanks_and_comments(Reader& reader)
 
 Token parse_percent_token(Reader& reader, bool throw_on_unterminated)
 {
+    kak_assert(*reader == '%');
     ++reader;
     const auto type_start = reader.pos;
     while (reader and iswalpha(*reader))
@@ -340,7 +341,9 @@ String expand_impl(StringView str, const Context& context,
         Codepoint c = *reader;
         if (c == '\\')
         {
-            c = *++reader;
+            if (not (++reader))
+                throw parse_error{"unterminated escape"};
+            c = *reader;
             if (c == '%' or c == '\\')
             {
                 res += reader.substr_from(beg);
diff --git a/test/regression/0-crash-on-specialy-crafted-modeline/cmd b/test/regression/0-crash-on-specialy-crafted-modeline/cmd
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/test/regression/0-crash-on-specialy-crafted-modeline/cmd
@@ -0,0 +1 @@
+
diff --git a/test/regression/0-crash-on-specialy-crafted-modeline/in b/test/regression/0-crash-on-specialy-crafted-modeline/in
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/test/regression/0-crash-on-specialy-crafted-modeline/in
@@ -0,0 +1 @@
+
diff --git a/test/regression/0-crash-on-specialy-crafted-modeline/out b/test/regression/0-crash-on-specialy-crafted-modeline/out
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/test/regression/0-crash-on-specialy-crafted-modeline/out
@@ -0,0 +1 @@
+
diff --git a/test/regression/0-crash-on-specialy-crafted-modeline/rc b/test/regression/0-crash-on-specialy-crafted-modeline/rc
new file mode 100644
index 00000000..d0ebe7c3
--- /dev/null
+++ b/test/regression/0-crash-on-specialy-crafted-modeline/rc
@@ -0,0 +1 @@
+set global modelinefmt %{\}