From 28bd3a4b5d24742567049875ef7456cf0633f64c Mon Sep 17 00:00:00 2001
From: Charlotte <charlotte@hrzn.ee>
Date: Wed, 28 Jun 2023 11:51:12 +1000
Subject: [PATCH] fmt: don't overrun fmt string buffer

For input like "{", "{1", etc., we would exit the loop due to
`i < fmt.size()` no longer being the case, and then check if
`++i == fmt.size()`.  That would increment i to `fmt.size() + 1`,
and so execution continues.

The intention is to move i beyond the ':', so we do it only in that
case instead.
---
 kernel/fmt.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/fmt.cc b/kernel/fmt.cc
index 924a23a0c..b24fe59b2 100644
--- a/kernel/fmt.cc
+++ b/kernel/fmt.cc
@@ -55,12 +55,13 @@ void Fmt::parse_rtlil(RTLIL::Cell *cell) {
 					arg_size *= 10;
 					arg_size += fmt[i] - '0';
 				} else if (fmt[i] == ':') {
+					++i;
 					break;
 				} else {
 					log_assert(false && "Unexpected character in format substitution");
 				}
 			}
-			if (++i == fmt.size())
+			if (i == fmt.size())
 				log_assert(false && "Unexpected end in format substitution");
 
 			if ((size_t)args.size() < arg_size)