diff options
| author | Ingo Schwarze <schwarze@openbsd.org> | 2020-09-03 17:42:15 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2020-09-03 17:42:15 +0000 |
| commit | a35ab663d9d8a034e201211f9a845f9241f7e404 (patch) | |
| tree | dc2bd5b04e8efb3db52a29151396c79e7eecea5c /roff_term.c | |
| parent | a16b428562f34f00dcddfb348725b4270d05654f (diff) | |
| download | mandoc-a35ab663d9d8a034e201211f9a845f9241f7e404.tar.gz | |
If .ti had an excessive argument, using it was attempted, in some
cases resulting in an assertion failure. Instead, truncate the
temporary indent to a width reasonable in a manual page.
I found the issue in an afl run
that was performed by Jan Schreiber <jes at posteo dot de>.
Diffstat (limited to 'roff_term.c')
| -rw-r--r-- | roff_term.c | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/roff_term.c b/roff_term.c index 72d1887e..ff71dc35 100644 --- a/roff_term.c +++ b/roff_term.c @@ -210,6 +210,7 @@ roff_term_pre_ti(ROFF_TERM_ARGS) { struct roffsu su; const char *cp; + const size_t maxoff = 72; int len, sign; roff_term_pre_br(p, n); @@ -230,17 +231,26 @@ roff_term_pre_ti(ROFF_TERM_ARGS) return; len = term_hen(p, &su); - if (sign == 0) { + switch (sign) { + case 1: + if (p->tcol->offset + len <= maxoff) + p->ti = len; + else if (p->tcol->offset < maxoff) + p->ti = maxoff - p->tcol->offset; + else + p->ti = 0; + break; + case -1: + if ((size_t)len < p->tcol->offset) + p->ti = -len; + else + p->ti = -p->tcol->offset; + break; + default: + if ((size_t)len > maxoff) + len = maxoff; p->ti = len - p->tcol->offset; - p->tcol->offset = len; - } else if (sign == 1) { - p->ti = len; - p->tcol->offset += len; - } else if ((size_t)len < p->tcol->offset) { - p->ti = -len; - p->tcol->offset -= len; - } else { - p->ti = -p->tcol->offset; - p->tcol->offset = 0; + break; } + p->tcol->offset += p->ti; } |