From 7e11f5e8dfe286f6fd2d23cfa92e265c9843be00 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sat, 21 Oct 2023 17:10:17 +0000
Subject: When parsing a macro argument results in delayed escape sequence
 expansion, re-check for all contained escape sequences whether they need
 delayed expansion, not just for the particular escape sequences that
 triggered delayed expansion in the first place.  This is needed because
 delayed expansion can result in strings containing nested escape sequences
 recursively needing delayed expansion, too.

This fixes an assertion failure in krb5_openlog(3), see:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266882

Thanks to Wolfram Schneider <wosch at FreeBSD> for reporting the bug
and to Baptiste Daroussin <bapt at FreeBSD> for forwarding the report.
---
 mandoc.h |  1 -
 roff.c   | 11 +++--------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/mandoc.h b/mandoc.h
index b0817905..6b1e95f7 100644
--- a/mandoc.h
+++ b/mandoc.h
@@ -23,7 +23,6 @@
 #define ASCII_NBRZW	 30  /* non-breaking zero-width space */
 #define ASCII_BREAK	 29  /* breakable zero-width space */
 #define ASCII_HYPH	 28  /* breakable hyphen */
-#define ASCII_ESC	 27  /* escape sequence from copy-in processing */
 #define ASCII_TABREF	 26  /* reset tab reference position */
 
 /*
diff --git a/roff.c b/roff.c
index 38d129ea..3c1a3089 100644
--- a/roff.c
+++ b/roff.c
@@ -1387,7 +1387,7 @@ roff_expand(struct roff *r, struct buf *buf, int ln, int pos, char ec)
 		 */
 
 		if (buf->buf[pos] != ec) {
-			if (ec != ASCII_ESC && buf->buf[pos] == '\\') {
+			if (buf->buf[pos] == '\\') {
 				roff_expand_patch(buf, pos, "\\e", pos + 1);
 				pos++;
 			}
@@ -1632,12 +1632,7 @@ roff_getarg(struct roff *r, char **cpp, int ln, int *pos)
 				cp++;
 				break;
 			case '\\':
-				/*
-				 * Signal to roff_expand() that an escape
-				 * sequence resulted from copy-in processing
-				 * and needs to be checked or interpolated.
-				 */
-				cp[-pairs] = ASCII_ESC;
+				cp[-pairs] = '\\';
 				newesc = 1;
 				pairs++;
 				cp++;
@@ -1694,7 +1689,7 @@ roff_getarg(struct roff *r, char **cpp, int ln, int *pos)
 	buf.buf = start;
 	buf.sz = strlen(start) + 1;
 	buf.next = NULL;
-	if (roff_expand(r, &buf, ln, 0, ASCII_ESC) & ROFF_IGN) {
+	if (roff_expand(r, &buf, ln, 0, '\\') & ROFF_IGN) {
 		free(buf.buf);
 		buf.buf = mandoc_strdup("");
 	}
-- 
cgit