From bf4e8be28e69b65461d7a841458ac67ee3193d7f Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sat, 11 Mar 2017 15:43:04 +0000
Subject: Improve detection of recursive eqn(7) "define" statements: Do not
 only catch "define key 'key other stuff'", but also "define key 'other stuff
 key'". Fixing infinite loop found by tb@ with afl(1).

---
 eqn.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'eqn.c')

diff --git a/eqn.c b/eqn.c
index 2d979dcd..e3b31e98 100644
--- a/eqn.c
+++ b/eqn.c
@@ -366,15 +366,19 @@ eqn_def_find(struct eqn_node *ep, const char *key, size_t sz)
 static const char *
 eqn_next(struct eqn_node *ep, char quote, size_t *sz, int repl)
 {
+	static size_t	 last_len;
+	static int	 lim;
+
 	char		*start, *next;
-	int		 q, diff, lim;
+	int		 q, diff;
 	size_t		 ssz, dummy;
 	struct eqn_def	*def;
 
 	if (NULL == sz)
 		sz = &dummy;
 
-	lim = 0;
+	if (ep->cur >= last_len)
+		lim = 0;
 	ep->rew = ep->cur;
 again:
 	/* Prevent self-definitions. */
@@ -448,6 +452,7 @@ again:
 		memmove(start + *sz + diff, start + *sz,
 		    (strlen(start) - *sz) + 1);
 		memcpy(start, def->val, def->valsz);
+		last_len = start - ep->data + def->valsz;
 		lim++;
 		goto again;
 	}
-- 
cgit