improve previous: do the size check up front to avoid leaking memory

author: Ingo Schwarze <schwarze@openbsd.org> 2014-12-28 14:16:26 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2014-12-28 14:16:26 +0000
commit: 6c9bf65b847eba6ae5bf1d6bf9d72a29550bf824 (patch)
tree: 0caf4c09b5100e00618b7fd2d8eb62cb52b91f58 /roff.c
parent: b1128883721e330dd696d3ee5bbaabaa4c3d45b3 (diff)
download: mandoc-6c9bf65b847eba6ae5bf1d6bf9d72a29550bf824.tar.gz
1 files changed, 4 insertions, 6 deletions
diff --git a/roff.c b/roff.c
index f619960b..de336ca2 100644
--- a/roff.c
+++ b/roff.c
@@ -651,6 +651,10 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos)
 			    r->parse, ln, (int)(stesc - buf->buf),
 			    "%.*s", (int)naml, stnam);
 			res = "";
+		} else if (buf->sz + strlen(res) > SHRT_MAX) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(stesc - buf->buf), NULL);
+			return(ROFF_IGN);
 		}
 
 		/* Replace the escape sequence by the string. */
@@ -659,12 +663,6 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos)
 		buf->sz = mandoc_asprintf(&nbuf, "%s%s%s",
 		    buf->buf, res, cp) + 1;
 
-		if (buf->sz > SHRT_MAX) {
-			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
-			    ln, (int)(stesc - buf->buf), NULL);
-			return(ROFF_IGN);
-		}
-
 		/* Prepare for the next replacement. */
 
 		start = nbuf + pos;
author	Ingo Schwarze <schwarze@openbsd.org>	2014-12-28 14:16:26 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2014-12-28 14:16:26 +0000
commit	6c9bf65b847eba6ae5bf1d6bf9d72a29550bf824 (patch)
tree	0caf4c09b5100e00618b7fd2d8eb62cb52b91f58 /roff.c
parent	b1128883721e330dd696d3ee5bbaabaa4c3d45b3 (diff)
download	mandoc-6c9bf65b847eba6ae5bf1d6bf9d72a29550bf824.tar.gz