diff options
| author | Ingo Schwarze <schwarze@openbsd.org> | 2017-07-31 15:19:06 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2017-07-31 15:19:06 +0000 |
| commit | 8f670667f66c9cd558e335e8987b7e8d1faad4c4 (patch) | |
| tree | 5951d8cfeda80ba773a47f4feab2e5deae3373e5 | |
| parent | 8c938c8f81672d51d1d8406408e9f01a288a6920 (diff) | |
| download | mandoc-8f670667f66c9cd558e335e8987b7e8d1faad4c4.tar.gz | |
Fix an out of bounds read access to a constant array that caused
segfaults on certain hardened versions of glibc. Triggered by .sp
or blank lines right before .SS or .SH, or before the first .Sh.
Found the hard way by Dr. Markus Waldner on Debian
and by Leah Neukirchen on Void Linux.
| -rw-r--r-- | man_term.c | 4 | ||||
| -rw-r--r-- | mdoc_validate.c | 2 |
2 files changed, 3 insertions, 3 deletions
@@ -673,7 +673,7 @@ pre_SS(DECL_ARGS) do { n = n->prev; - } while (n != NULL && n->tok != TOKEN_NONE && + } while (n != NULL && n->tok >= MAN_TH && termacts[n->tok].flags & MAN_NOTEXT); if (n == NULL || (n->tok == MAN_SS && n->body->child == NULL)) break; @@ -735,7 +735,7 @@ pre_SH(DECL_ARGS) do { n = n->prev; - } while (n != NULL && n->tok != TOKEN_NONE && + } while (n != NULL && n->tok >= MAN_TH && termacts[n->tok].flags & MAN_NOTEXT); if (n == NULL || (n->tok == MAN_SH && n->body->child == NULL)) break; diff --git a/mdoc_validate.c b/mdoc_validate.c index 87e87b26..a0137509 100644 --- a/mdoc_validate.c +++ b/mdoc_validate.c @@ -1931,7 +1931,7 @@ post_root(POST_ARGS) /* Check that we begin with a proper `Sh'. */ n = mdoc->first->child; - while (n != NULL && n->tok != TOKEN_NONE && + while (n != NULL && n->tok >= MDOC_Dd && mdoc_macros[n->tok].flags & MDOC_PROLOGUE) n = n->next; |