X-Git-Url: https://git.cameronkatri.com/mandoc.git/blobdiff_plain/534f7109d67be81218d79589e38dd8606a7eee5e..9d1775c515c3381957c801b3de57c9b282668dac:/roff.c

diff --git a/roff.c b/roff.c
index a6f27040..cf9a1baa 100644
--- a/roff.c
+++ b/roff.c
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.290 2017/03/03 11:50:49 schwarze Exp $ */
+/*	$Id: roff.c,v 1.292 2017/03/08 13:18:10 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2015, 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -1608,7 +1608,7 @@ roff_parseln(struct roff *r, int ln, struct buf *buf, int *offs)
 			return ROFF_IGN;
 		while (buf->buf[pos] != '\0' && buf->buf[pos] != ' ')
 			pos++;
-		while (buf->buf[pos] != '\0' && buf->buf[pos] == ' ')
+		while (buf->buf[pos] == ' ')
 			pos++;
 		return tbl_read(r->tbl, ln, buf->buf, pos);
 	}
@@ -3038,7 +3038,7 @@ roff_userdef(ROFF_ARGS)
 {
 	const char	 *arg[9], *ap;
 	char		 *cp, *n1, *n2;
-	int		  i, ib, ie;
+	int		  expand_count, i, ib, ie;
 	size_t		  asz, rsz;
 
 	/*
@@ -3062,8 +3062,9 @@ roff_userdef(ROFF_ARGS)
 	 */
 
 	buf->sz = strlen(r->current_string) + 1;
-	n1 = cp = mandoc_malloc(buf->sz);
+	n1 = n2 = cp = mandoc_malloc(buf->sz);
 	memcpy(n1, r->current_string, buf->sz);
+	expand_count = 0;
 	while (*cp != '\0') {
 
 		/* Scan ahead for the next argument invocation. */
@@ -3082,6 +3083,18 @@ roff_userdef(ROFF_ARGS)
 		}
 		cp -= 2;
 
+		/*
+		 * Prevent infinite recursion.
+		 */
+
+		if (cp >= n2)
+			expand_count = 1;
+		else if (++expand_count > EXPAND_LIMIT) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(cp - n1), NULL);
+			return ROFF_IGN;
+		}
+
 		/*
 		 * Determine the size of the expanded argument,
 		 * taking escaping of quotes into account.