From 31a1b153596f42c4e583bc573ad2fd7b41651728 Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Tue, 16 Dec 2014 01:22:59 +0000 Subject: When a numerical condition errors out after consuming at least one character of input, treat it as false, do not retry it as a string comparison condition. This also fixes a read buffer overrun that happened when the numerical condition advanced to the end of the input line before erroring out, found by jsg@ with afl. --- roff.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'roff.c') diff --git a/roff.c b/roff.c index 32cc6c31..1e4b408e 100644 --- a/roff.c +++ b/roff.c @@ -1249,7 +1249,7 @@ out: static int roff_evalcond(struct roff *r, int ln, const char *v, int *pos) { - int wanttrue, number; + int number, savepos, wanttrue; if ('!' == v[*pos]) { wanttrue = 0; @@ -1282,10 +1282,13 @@ roff_evalcond(struct roff *r, int ln, const char *v, int *pos) break; } + savepos = *pos; if (roff_evalnum(r, ln, v, pos, &number, 0)) return((number > 0) == wanttrue); - else + else if (*pos == savepos) return(roff_evalstrcond(v, pos) == wanttrue); + else + return (0); } static enum rofferr -- cgit