From a85c2bafa990fdb5b501994d2144372b0a789395 Mon Sep 17 00:00:00 2001
From: Kristaps Dzonsons <kristaps@bsd.lv>
Date: Mon, 18 Aug 2014 09:11:47 +0000
Subject: Fix a corner case where \H<nil> (where <nil> is the \0 character)
 would cause mandoc_escape() to read past the end of an allocated string.
 Found when a script scanning of all Mac OSX manual accidentally also scanned
 binary (gzip'd) files, discussed with schwarze@ on tech@.

---
 mandoc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'mandoc.c')

diff --git a/mandoc.c b/mandoc.c
index ca9759dc..f454a40e 100644
--- a/mandoc.c
+++ b/mandoc.c
@@ -199,7 +199,8 @@ mandoc_escape(const char **end, const char **start, int *sz)
 		/* FALLTHROUGH */
 	case 'x':
 		if (strchr(" %&()*+-./0123456789:<=>", **start)) {
-			++*end;
+			if ('\0' != **start)
+				++*end;
 			return(ESCAPE_ERROR);
 		}
 		gly = ESCAPE_IGNORE;
-- 
cgit