From c147a10e9238c3d84c374dadb602444272da1d10 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Thu, 1 Jan 2015 19:28:49 +0000
Subject: Fix a buffer overrun triggered by a trailing backslash at EOF in an
 unclosed conditional body.  If the memory contained the byte sequence "\}"
 after the end of the buffer before the next NUL, this could even write beyond
 the end of the buffer, specifically '&' to the location of the '}'.  Found by
 jsg@ with afl.

---
 roff.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'roff.c')

diff --git a/roff.c b/roff.c
index de336ca2..518a8fd1 100644
--- a/roff.c
+++ b/roff.c
@@ -1,7 +1,7 @@
 /*	$Id$ */
 /*
- * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2010, 2011, 2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
+ * Copyright (c) 2010-2015 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1163,7 +1163,8 @@ roff_cond_sub(ROFF_ARGS)
 			*ep = '&';
 			roff_ccond(r, ln, ep - buf->buf - 1);
 		}
-		++ep;
+		if (*ep != '\0')
+			++ep;
 	}
 	return(rr ? ROFF_CONT : ROFF_IGN);
 }
@@ -1183,7 +1184,8 @@ roff_cond_text(ROFF_ARGS)
 			*ep = '&';
 			roff_ccond(r, ln, ep - buf->buf - 1);
 		}
-		++ep;
+		if (*ep != '\0')
+			++ep;
 	}
 	return(rr ? ROFF_CONT : ROFF_IGN);
 }
-- 
cgit