Reduce memory and time consumption on certain malformed input files

by limiting the length of expanded input lines during the
(usually recursive) expansion of user defined strings.
Resource hogging found by jsg@ with afl.

2 files changed, 11 insertions, 2 deletions

diff --git a/roff.7 b/roff.7
index 15f74e30..98957c6e 100644
--- a/roff.7
+++ b/roff.7
@@ -543,8 +543,10 @@ one explicit newline character.
 In order to prevent endless recursion, both groff and
 .Xr mandoc 1
 limit the stack depth for expanding macros and strings
-to a large, but finite number.
-Do not rely on the exact value of this limit.
+to a large, but finite number, and
+.Xr mandoc 1
+also limits the length of the expanded input line.
+Do not rely on the exact values of these limits.
 .Ss \&dei
 Define a
 .Nm
diff --git a/roff.c b/roff.c
index 58fbfd44..f619960b 100644
--- a/roff.c
+++ b/roff.c
@@ -21,6 +21,7 @@
 
 #include <assert.h>
 #include <ctype.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -658,6 +659,12 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos)
 		buf->sz = mandoc_asprintf(&nbuf, "%s%s%s",
 		    buf->buf, res, cp) + 1;
 
+		if (buf->sz > SHRT_MAX) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(stesc - buf->buf), NULL);
+			return(ROFF_IGN);
+		}
+
 		/* Prepare for the next replacement. */
 
 		start = nbuf + pos;