From b59f9b9322a3cf804a69a50993cd75f5b6882ef5 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Fri, 16 Mar 2018 20:41:41 +0000
Subject: Ouch, fix previous:  In the edge case of a single-character string
 containing nothing but a single hyphen, the pointer got incremented twice at
 one point, causing a read overrun found by naddy@.

---
 mdoc_validate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mdoc_validate.c b/mdoc_validate.c
index 489c5adf..54342b98 100644
--- a/mdoc_validate.c
+++ b/mdoc_validate.c
@@ -412,8 +412,9 @@ check_text_em(struct roff_man *mdoc, int ln, int pos, char *p)
 	/* Look for em-dashes wrongly encoded as "--". */
 
 	for (cp = p; *cp != '\0'; cp++) {
-		if (*cp != '-' || *++cp != '-')
+		if (cp[0] != '-' || cp[1] != '-')
 			continue;
+		cp++;
 
 		/* Skip input sequences of more than two '-'. */
 
-- 
cgit