After rewriting the parse buffer from scratch, we also have to reset

the parse point to the beginning of the new buffer or we risk out of bounds accesses. Bug found by Leah Neukirchen <leah at vuxu dot org> with valgrind on Void Linux.
author: Ingo Schwarze <schwarze@openbsd.org> 2018-08-01 15:40:17 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2018-08-01 15:40:17 +0000
commit: dfaf51896b71ba07d68f2a0d996bdc9c9264e1a4 (patch)
tree: f72cc88222d88a95faef78f98e64d20065a73cc1 /roff.c
parent: 160e978ed219fefc76edebd7f7d3ed55ed7e74fd (diff)
download: mandoc-dfaf51896b71ba07d68f2a0d996bdc9c9264e1a4.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/roff.c b/roff.c
index 21d80083..c6d7dad1 100644
--- a/roff.c
+++ b/roff.c
@@ -2845,6 +2845,7 @@ roff_TE(ROFF_ARGS)
 		free(buf->buf);
 		buf->buf = mandoc_strdup(".sp");
 		buf->sz = 4;
+		*offs = 0;
 		return ROFF_REPARSE;
 	}
 	r->tbl = NULL;
@@ -3364,6 +3365,7 @@ roff_userdef(ROFF_ARGS)
 			    ln, (int)(cp - n1), NULL);
 			free(buf->buf);
 			buf->buf = n1;
+			*offs = 0;
 			return ROFF_IGN;
 		}
 
@@ -3458,6 +3460,7 @@ roff_renamed(ROFF_ARGS)
 	    buf->buf[pos] == '\0' ? "" : " ", buf->buf + pos) + 1;
 	free(buf->buf);
 	buf->buf = nbuf;
+	*offs = 0;
 	return ROFF_CONT;
 }
author	Ingo Schwarze <schwarze@openbsd.org>	2018-08-01 15:40:17 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2018-08-01 15:40:17 +0000
commit	dfaf51896b71ba07d68f2a0d996bdc9c9264e1a4 (patch)
tree	f72cc88222d88a95faef78f98e64d20065a73cc1 /roff.c
parent	160e978ed219fefc76edebd7f7d3ed55ed7e74fd (diff)
download	mandoc-dfaf51896b71ba07d68f2a0d996bdc9c9264e1a4.tar.gz