diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2015-01-01 19:28:49 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2015-01-01 19:28:49 +0000 |
commit | c147a10e9238c3d84c374dadb602444272da1d10 (patch) | |
tree | 9e5c12d5335f4dbda8253d8c8108d701cfeaabc9 | |
parent | 0c4268a97d14f67e1ac6cff32d0a418723ac49cd (diff) | |
download | mandoc-c147a10e9238c3d84c374dadb602444272da1d10.tar.gz |
Fix a buffer overrun triggered by a trailing backslash at EOF in
an unclosed conditional body. If the memory contained the byte
sequence "\}" after the end of the buffer before the next NUL, this
could even write beyond the end of the buffer, specifically '&' to
the location of the '}'. Found by jsg@ with afl.
-rw-r--r-- | roff.c | 10 |
1 files changed, 6 insertions, 4 deletions
@@ -1,7 +1,7 @@ /* $Id$ */ /* - * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> - * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org> + * Copyright (c) 2010, 2011, 2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv> + * Copyright (c) 2010-2015 Ingo Schwarze <schwarze@openbsd.org> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -1163,7 +1163,8 @@ roff_cond_sub(ROFF_ARGS) *ep = '&'; roff_ccond(r, ln, ep - buf->buf - 1); } - ++ep; + if (*ep != '\0') + ++ep; } return(rr ? ROFF_CONT : ROFF_IGN); } @@ -1183,7 +1184,8 @@ roff_cond_text(ROFF_ARGS) *ep = '&'; roff_ccond(r, ln, ep - buf->buf - 1); } - ++ep; + if (*ep != '\0') + ++ep; } return(rr ? ROFF_CONT : ROFF_IGN); } |