From a0fabe9e5d1cf74cb10020f34f185de90187b8e7 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Thu, 25 Dec 2014 17:23:32 +0000
Subject: Reduce memory and time consumption on certain malformed input files
 by limiting the length of expanded input lines during the (usually recursive)
 expansion of user defined strings. Resource hogging found by jsg@ with afl.

---
 roff.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'roff.c')

diff --git a/roff.c b/roff.c
index 992d9772..8f67e84d 100644
--- a/roff.c
+++ b/roff.c
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.244 2014/12/18 17:43:41 schwarze Exp $ */
+/*	$Id: roff.c,v 1.245 2014/12/25 17:23:32 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -21,6 +21,7 @@
 
 #include <assert.h>
 #include <ctype.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -658,6 +659,12 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos)
 		buf->sz = mandoc_asprintf(&nbuf, "%s%s%s",
 		    buf->buf, res, cp) + 1;
 
+		if (buf->sz > SHRT_MAX) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(stesc - buf->buf), NULL);
+			return(ROFF_IGN);
+		}
+
 		/* Prepare for the next replacement. */
 
 		start = nbuf + pos;
-- 
cgit v1.2.3