To prevent infinite recursion while expanding eqn(7) definitions,

we must not reset the recursion counter when moving beyond the end
of the *previous* expansion, but we may only do so when moving
beyond the rightmost position reached by *any* expansion in the
current equation.  This matters because definitions can nest;
consider:

.EQ
define inner "content"
define outer "inner outer"
outer
.EN

This endless loop was found by tb@ using afl(1).

Incidentally, GNU eqn(1) also performs an infinite loop in this
situation and then crashes when memory runs out, but that's not an
excuse for nasty behaviour of mandoc(1).

While here, consistently print the expanded content even when the
expansion is finally truncated.  While that is not likely to help
end-users, it may help authors of eqn(7) code to understand what's
going on.  Besides, it sends a very clear signal that something is
amiss, which was easy to miss in the past unless people
enabled -W error or used -T lint.

1 files changed, 4 insertions, 2 deletions

diff --git a/eqn_parse.h b/eqn_parse.h
index bb21a0e1..b16c014f 100644
--- a/eqn_parse.h
+++ b/eqn_parse.h
@@ -1,7 +1,7 @@
-/*	$Id$ */
+/* $Id$ */
 /*
+ * Copyright (c) 2014, 2017, 2018, 2022 Ingo Schwarze <schwarze@openbsd.org>
  * Copyright (c) 2011 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2014, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -32,6 +32,8 @@ struct	eqn_node {
 	size_t		  defsz;   /* Number of definitions. */
 	size_t		  sz;      /* Length of the source code. */
 	size_t		  toksz;   /* Length of the current token. */
+	int		  sublen;  /* End of rightmost substitution, so far. */
+	int		  subcnt;  /* Number of recursive substitutions. */
 	int		  gsize;   /* Default point size. */
 	int		  delim;   /* In-line delimiters enabled. */
 	char		  odelim;  /* In-line opening delimiter. */