From 4af7601e56b07fe1eb2c110fd7633ef66197ae30 Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Tue, 19 Mar 2019 16:26:08 +0000 Subject: When the last line of the input is empty and the previous line reduced the line input buffer to a length of one byte, do not write one byte past the end of the line input buffer. Minimal code to show the bug: printf ".ds X\n.X\n\n" | MALLOC_OPTIONS=C mandoc Bug found by bentley@ in the sysutils/rancid par(1) manual page. --- read.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'read.c') diff --git a/read.c b/read.c index 14f9a74e..76c4308e 100644 --- a/read.c +++ b/read.c @@ -255,6 +255,8 @@ mparse_buf_r(struct mparse *curp, struct buf blk, size_t i, int start) /* XXX Ugly hack to mark the end of the input. */ if (i == blk.sz || blk.buf[i] == '\0') { + if (pos + 2 > ln.sz) + resize_buf(&ln, 256); ln.buf[pos++] = '\n'; ln.buf[pos] = '\0'; } -- cgit