From 3b18ea9139a1bdd9183db6f3ac6d174ad93b3cb3 Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Sun, 24 Apr 2022 13:38:46 +0000 Subject: If a .shift request has a negative argument, do not use a negative array index but use 0 instead of the argument, just like groff. Warn about the invalid argument. While here, fix the column number in another warning message. Segfault reported by tb@, found with afl(1). --- roff.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'roff.c') diff --git a/roff.c b/roff.c index bd222d56..29166fd4 100644 --- a/roff.c +++ b/roff.c @@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.381 2022/04/13 13:19:34 schwarze Exp $ */ +/* $Id: roff.c,v 1.382 2022/04/24 13:38:46 schwarze Exp $ */ /* * Copyright (c) 2010-2015, 2017-2022 Ingo Schwarze * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons @@ -3870,8 +3870,9 @@ static int roff_shift(ROFF_ARGS) { struct mctx *ctx; - int levels, i; + int argpos, levels, i; + argpos = pos; levels = 1; if (buf->buf[pos] != '\0' && roff_evalnum(r, ln, buf->buf, &pos, &levels, 0) == 0) { @@ -3886,9 +3887,13 @@ roff_shift(ROFF_ARGS) ctx = r->mstack + r->mstackpos; if (levels > ctx->argc) { mandoc_msg(MANDOCERR_SHIFT, - ln, pos, "%d, but max is %d", levels, ctx->argc); + ln, argpos, "%d, but max is %d", levels, ctx->argc); levels = ctx->argc; } + if (levels < 0) { + mandoc_msg(MANDOCERR_ARG_NEG, ln, argpos, "shift %d", levels); + levels = 0; + } if (levels == 0) return ROFF_IGN; for (i = 0; i < levels; i++) -- cgit v1.2.3