Fix an out of bounds read access to a constant array that caused

segfaults on certain hardened versions of glibc. Triggered by .sp or blank lines right before .SS or .SH, or before the first .Sh. Found the hard way by Dr. Markus Waldner on Debian and by Leah Neukirchen on Void Linux.
author: Ingo Schwarze <schwarze@openbsd.org> 2017-07-31 15:19:06 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2017-07-31 15:19:06 +0000
commit: 8f670667f66c9cd558e335e8987b7e8d1faad4c4 (patch)
tree: 5951d8cfeda80ba773a47f4feab2e5deae3373e5 /mdoc_validate.c
parent: 8c938c8f81672d51d1d8406408e9f01a288a6920 (diff)
download: mandoc-8f670667f66c9cd558e335e8987b7e8d1faad4c4.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/mdoc_validate.c b/mdoc_validate.c
index 87e87b26..a0137509 100644
--- a/mdoc_validate.c
+++ b/mdoc_validate.c
@@ -1931,7 +1931,7 @@ post_root(POST_ARGS)
 	/* Check that we begin with a proper `Sh'. */
 
 	n = mdoc->first->child;
-	while (n != NULL && n->tok != TOKEN_NONE &&
+	while (n != NULL && n->tok >= MDOC_Dd &&
 	    mdoc_macros[n->tok].flags & MDOC_PROLOGUE)
 		n = n->next;
author	Ingo Schwarze <schwarze@openbsd.org>	2017-07-31 15:19:06 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2017-07-31 15:19:06 +0000
commit	8f670667f66c9cd558e335e8987b7e8d1faad4c4 (patch)
tree	5951d8cfeda80ba773a47f4feab2e5deae3373e5 /mdoc_validate.c
parent	8c938c8f81672d51d1d8406408e9f01a288a6920 (diff)
download	mandoc-8f670667f66c9cd558e335e8987b7e8d1faad4c4.tar.gz