diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2017-02-17 03:03:03 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2017-02-17 03:03:03 +0000 |
commit | 43757c82b3a7a65d2481fe9ff6efb2970e685827 (patch) | |
tree | 1dea4e21cc3c7f041c2a1f473a3f65883e130820 /roff.7 | |
parent | fa4c0272e4f32857c55289b94ac6986d26909487 (diff) | |
download | mandoc-43757c82b3a7a65d2481fe9ff6efb2970e685827.tar.gz |
Fix a read buffer overrun that copied random data from memory into
text nodes when a string passed to deroff() ended in a backslash
and the byte after the terminating NUL was non-NUL, found by tb@
with afl(1).
Invalid bytes so copied with the high bit set could later sometimes
trigger another out of bounds read access to static memory in
roff_strdup(), so add an assertion there to abort safely in case
of similar data corruption.
Diffstat (limited to 'roff.7')
0 files changed, 0 insertions, 0 deletions