Upstream commit:

    awk: fix read beyond end of buffer
    Commit 7d06d6e18 (awk: fix printf %%) can cause awk printf to read
    beyond the end of a strduped buffer:

      2349      while (*f && *f != '%')
      2350          f++;
      2351      c = *++f;

    If the loop terminates because a NUL character is detected the
    character after the NUL is read.  This can result in failures
    depending on the value of that character.

    function                                             old     new   delta
    awk_printf                                           672     665      -7

    Signed-off-by: Ron Yorston <rmy@pobox.com>
    Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/editors/awk.c b/editors/awk.c
index 3adbca7..02c26d7 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -2346,12 +2346,21 @@ static char *awk_printf(node *n, size_t *len)
 		size_t slen;

 		s = f;
-		while (*f && (*f != '%' || *++f == '%'))
-			f++;
-		while (*f && !isalpha(*f)) {
-			if (*f == '*')
-				syntax_error("%*x formats are not supported");
+		while (*f && *f != '%')
 			f++;
+		if (*f) {
+      c = *++f;
+			if (c == '%') { /* double % */
+				slen = f - s;
+				s = xstrndup(s, slen);
+				f++;
+				goto tail;
+			}
+			while (*f && !isalpha(*f)) {
+				if (*f == '*')
+					syntax_error("%*x formats are not supported");
+				f++;
+ 			}
 		}
 		c = *f;
 		if (!c) {