2 files changed, 6 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index ed318d89..b3f3b825 100644
--- a/NEWS
+++ b/NEWS
@@ -35,6 +35,8 @@ Changes in version 1.14.4, released on August XXX, 2018
  * Only activate UTF-8 output when the user really selected UTF-8,
    not some other multibyte character encoding.
  * Prevent excessive .ll arguments from generating infinite output.
+ * Fix out of bounds accesses to parse buffers that could happen when
+   using renamed or user defined macros after roff(7) conditionals.
  * Avoid an assertion failure in certain .Bl -column lists.
  * Avoid a NULL pointer access on deroff() failure after '.SS ""'.
  * Fix a segfault that could be triggered by two invalid .Dt macros.
@@ -60,7 +62,7 @@ Changes in version 1.14.4, released on August XXX, 2018
  * Thomas Klausner (NetBSD) for suggesting two new style messages,
    one new feature, and for two bug reports.
  * Leah Neukirchen (Void Linux) for suggesting a new style message,
-   four bug reports, and release testing.
+   five bug reports, and release testing.
  * Anthony Bentley (OpenBSD) for reporting multiple bugs and missing
    features.
  * Paul Irofti (OpenBSD) and Nate Bargmann for suggesting new features.
diff --git a/roff.c b/roff.c
index 21d80083..c6d7dad1 100644
--- a/roff.c
+++ b/roff.c
@@ -2845,6 +2845,7 @@ roff_TE(ROFF_ARGS)
 		free(buf->buf);
 		buf->buf = mandoc_strdup(".sp");
 		buf->sz = 4;
+		*offs = 0;
 		return ROFF_REPARSE;
 	}
 	r->tbl = NULL;
@@ -3364,6 +3365,7 @@ roff_userdef(ROFF_ARGS)
 			    ln, (int)(cp - n1), NULL);
 			free(buf->buf);
 			buf->buf = n1;
+			*offs = 0;
 			return ROFF_IGN;
 		}
 
@@ -3458,6 +3460,7 @@ roff_renamed(ROFF_ARGS)
 	    buf->buf[pos] == '\0' ? "" : " ", buf->buf + pos) + 1;
 	free(buf->buf);
 	buf->buf = nbuf;
+	*offs = 0;
 	return ROFF_CONT;
 }