When a man(7) document contains unreasonably large numbers for

indentations or paragraph distances, large output may be generated, which is practically the same as an endless loop; found by jsg@ with afl. Reject such unreasonably large numbers beyond arbitrary limits similar to those used by groff (max. 65 blank lines between paragraphs and max. SHRT_MAX characters per output line) and fall back to defaults when exceeded. Having the limits behave in exactly the same way is not relevant.
author: Ingo Schwarze <schwarze@openbsd.org> 2014-12-24 09:58:35 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2014-12-24 09:58:35 +0000
commit: b90b724e08fcba984d8b57dd4b4bf1be91691628 (patch)
tree: 5fde85230f507da92dd2056c9445f8820b995b1f /term.c
parent: 4ad53635f5202474c55af90f70bba0ade18962cb (diff)
download: mandoc-b90b724e08fcba984d8b57dd4b4bf1be91691628.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/term.c b/term.c
index ee9f31f3..3efc2709 100644
--- a/term.c
+++ b/term.c
@@ -773,6 +773,7 @@ int
 term_vspan(const struct termp *p, const struct roffsu *su)
 {
 	double		 r;
+	int		 ri;
 
 	switch (su->unit) {
 	case SCALE_BU:
@@ -808,7 +809,8 @@ term_vspan(const struct termp *p, const struct roffsu *su)
 		abort();
 		/* NOTREACHED */
 	}
-	return(r > 0.0 ? r + 0.4995 : r - 0.4995);
+	ri = r > 0.0 ? r + 0.4995 : r - 0.4995;
+	return(ri < 66 ? ri : 1);
 }
 
 int
author	Ingo Schwarze <schwarze@openbsd.org>	2014-12-24 09:58:35 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2014-12-24 09:58:35 +0000
commit	b90b724e08fcba984d8b57dd4b4bf1be91691628 (patch)
tree	5fde85230f507da92dd2056c9445f8820b995b1f /term.c
parent	4ad53635f5202474c55af90f70bba0ade18962cb (diff)
download	mandoc-b90b724e08fcba984d8b57dd4b4bf1be91691628.tar.gz