From 37c273b069c3a241be5189ba702febde67d7d787 Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Tue, 16 Dec 2014 03:53:43 +0000 Subject: When a string comparison condition contains no mismatching character but ends without the final delimiter, the parse point was advanced one character too far and the invalid pointer returned to the caller of roff_parseln(). Later use could potentially advance the pointer even further and maybe even write to it. Fixing a buffer overrun found by jsg@ with afl (the most severe so far). --- roff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'roff.c') diff --git a/roff.c b/roff.c index 1e4b408e..f44fd6e2 100644 --- a/roff.c +++ b/roff.c @@ -1236,7 +1236,7 @@ roff_evalstrcond(const char *v, int *pos) out: if (NULL == s3) s3 = strchr(s2, '\0'); - else + else if (*s3 != '\0') s3++; *pos = s3 - v; return(match); -- cgit