diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2011-09-18 23:51:31 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2011-09-18 23:51:31 +0000 |
commit | a3b1c69e9d6c4f3ba1529d6530ff694f80926242 (patch) | |
tree | 4cc1237dbdb876ae0522cb011cb08bcd9bef675d | |
parent | b9805b21686844285a66e361542127622df77b54 (diff) | |
download | mandoc-a3b1c69e9d6c4f3ba1529d6530ff694f80926242.tar.gz |
Fix another regression introduced in 1.11.7:
If a string is defined in terms of itself, the REPARSE_LIMIT in read.c
used to break the cycle. This no longer works since all the work
is now done in the function roff_res(), looping indefinitely.
Make this loop finite by arbitrarily limiting the number of times one
string may be expanded; when that limit is reached, leave the remaining
string references unexpanded.
This changes behaviour compared to 1.11.5, where the whole line would
have been dropped. The new behaviour is better because it loses less
information. We don't want to imitate groff-1.20.1 behaviour anyway
because groff aborts parsing of the whole file.
ok kristaps@
-rw-r--r-- | roff.c | 15 |
1 files changed, 13 insertions, 2 deletions
@@ -31,6 +31,9 @@ /* Maximum number of nested if-else conditionals. */ #define RSTACK_MAX 128 +/* Maximum number of string expansions per line, to break infinite loops. */ +#define EXPAND_LIMIT 1000 + enum rofft { ROFF_ad, ROFF_am, @@ -437,10 +440,12 @@ roff_res(struct roff *r, char **bufp, size_t *szp, int ln, int pos) const char *stnam; /* start of the name, after "[(*" */ const char *cp; /* end of the name, e.g. before ']' */ const char *res; /* the string to be substituted */ - int i, maxl; + int i, maxl, expand_count; size_t nsz; char *n; + expand_count = 0; + again: cp = *bufp + pos; while (NULL != (cp = strchr(cp, '\\'))) { @@ -535,7 +540,13 @@ again: *bufp = n; *szp = nsz; - goto again; + + if (EXPAND_LIMIT >= ++expand_count) + goto again; + + /* Just leave the string unexpanded. */ + mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, ln, pos, NULL); + return; } } |