Reduce memory and time consumption on certain malformed input files

by limiting the length of expanded input lines during the (usually recursive) expansion of user defined strings. Resource hogging found by jsg@ with afl.
author: Ingo Schwarze <schwarze@openbsd.org> 2014-12-25 17:23:32 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2014-12-25 17:23:32 +0000
commit: b1128883721e330dd696d3ee5bbaabaa4c3d45b3 (patch)
tree: e5947f5bed5ad9135dc9640760a2d40904b6ff19 /roff.c
parent: 4039dc9d2363717732db9e312b0dcc38973d1a54 (diff)
download: mandoc-b1128883721e330dd696d3ee5bbaabaa4c3d45b3.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/roff.c b/roff.c
index 58fbfd44..f619960b 100644
--- a/roff.c
+++ b/roff.c
@@ -21,6 +21,7 @@
 
 #include <assert.h>
 #include <ctype.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -658,6 +659,12 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos)
 		buf->sz = mandoc_asprintf(&nbuf, "%s%s%s",
 		    buf->buf, res, cp) + 1;
 
+		if (buf->sz > SHRT_MAX) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(stesc - buf->buf), NULL);
+			return(ROFF_IGN);
+		}
+
 		/* Prepare for the next replacement. */
 
 		start = nbuf + pos;
author	Ingo Schwarze <schwarze@openbsd.org>	2014-12-25 17:23:32 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2014-12-25 17:23:32 +0000
commit	b1128883721e330dd696d3ee5bbaabaa4c3d45b3 (patch)
tree	e5947f5bed5ad9135dc9640760a2d40904b6ff19 /roff.c
parent	4039dc9d2363717732db9e312b0dcc38973d1a54 (diff)
download	mandoc-b1128883721e330dd696d3ee5bbaabaa4c3d45b3.tar.gz