Fix blunder in previous: we must keep the line parse buffer

consistent even when aborting the parsing of the line. That buffer is not our own, but owned and reused by mparse_buf_r(), read.c. Returning without cleanup leaked memory and caused write overruns of the old, typically much smaller buffer in mparse_buf_r(). Promptly noticed by tb@ with afl(1), using MALLOC_OPTIONS=C.
author: Ingo Schwarze <schwarze@openbsd.org> 2017-03-09 15:29:35 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2017-03-09 15:29:35 +0000
commit: bc5f2993f31191748ab9fed5f476079463af8f5e (patch)
tree: f382a5038d7a94624736f25009b30a03c36b50e2 /roff.c
parent: eb74e0f0e616a89f769432b7f4c31856c1a37f49 (diff)
download: mandoc-bc5f2993f31191748ab9fed5f476079463af8f5e.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/roff.c b/roff.c
index 54bebf78..5db7f4e7 100644
--- a/roff.c
+++ b/roff.c
@@ -3092,6 +3092,8 @@ roff_userdef(ROFF_ARGS)
 		else if (++expand_count > EXPAND_LIMIT) {
 			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
 			    ln, (int)(cp - n1), NULL);
+			free(buf->buf);
+			buf->buf = n1;
 			return ROFF_IGN;
 		}
author	Ingo Schwarze <schwarze@openbsd.org>	2017-03-09 15:29:35 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2017-03-09 15:29:35 +0000
commit	bc5f2993f31191748ab9fed5f476079463af8f5e (patch)
tree	f382a5038d7a94624736f25009b30a03c36b50e2 /roff.c
parent	eb74e0f0e616a89f769432b7f4c31856c1a37f49 (diff)
download	mandoc-bc5f2993f31191748ab9fed5f476079463af8f5e.tar.gz