Fix a corner case where \H<nil> (where <nil> is the \0 character) would

cause mandoc_escape() to read past the end of an allocated string.
Found when a script scanning of all Mac OSX manual accidentally also
scanned binary (gzip'd) files, discussed with schwarze@ on tech@.

diff --git a/mandoc.c b/mandoc.c
index 0ef124337985bc6adf55997b00ce75cacfad481c..be3e264cf16b922e67775b6363dac331625e0662 100644 (file)
--- a/mandoc.c
+++ b/mandoc.c
@@ -1,4 +1,4 @@
-/*     $Id: mandoc.c,v 1.85 2014/08/16 19:00:01 schwarze Exp $ */
+/*     $Id: mandoc.c,v 1.86 2014/08/18 09:11:47 kristaps Exp $ */
 /*
  * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -199,7 +199,8 @@ mandoc_escape(const char **end, const char **start, int *sz)
                /* FALLTHROUGH */
        case 'x':
                if (strchr(" %&()*+-./0123456789:<=>", **start)) {
-                       ++*end;
+                       if ('\0' != **start)
+                               ++*end;
                        return(ESCAPE_ERROR);
                }
                gly = ESCAPE_IGNORE;