From b71589000b1859d45cf1f2c247dc91fabf4f6753 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Thu, 3 Sep 2020 17:42:15 +0000
Subject: If .ti had an excessive argument, using it was attempted, in some
 cases resulting in an assertion failure.  Instead, truncate the temporary
 indent to a width reasonable in a manual page.

I found the issue in an afl run
that was performed by Jan Schreiber <jes at posteo dot de>.
---
 roff_term.c | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

(limited to 'roff_term.c')

diff --git a/roff_term.c b/roff_term.c
index 9b251f49..ebfb75ef 100644
--- a/roff_term.c
+++ b/roff_term.c
@@ -1,4 +1,4 @@
-/* $Id: roff_term.c,v 1.20 2020/06/22 19:20:40 schwarze Exp $ */
+/* $Id: roff_term.c,v 1.21 2020/09/03 17:42:15 schwarze Exp $ */
 /*
  * Copyright (c) 2010,2014,2015,2017-2019 Ingo Schwarze <schwarze@openbsd.org>
  *
@@ -210,6 +210,7 @@ roff_term_pre_ti(ROFF_TERM_ARGS)
 {
 	struct roffsu	 su;
 	const char	*cp;
+	const size_t	 maxoff = 72;
 	int		 len, sign;
 
 	roff_term_pre_br(p, n);
@@ -230,17 +231,26 @@ roff_term_pre_ti(ROFF_TERM_ARGS)
 		return;
 	len = term_hen(p, &su);
 
-	if (sign == 0) {
+	switch (sign) {
+	case 1:
+		if (p->tcol->offset + len <= maxoff)
+			p->ti = len;
+		else if (p->tcol->offset < maxoff)
+			p->ti = maxoff - p->tcol->offset;
+		else
+			p->ti = 0;
+		break;
+	case -1:
+		if ((size_t)len < p->tcol->offset)
+			p->ti = -len;
+		else
+			p->ti = -p->tcol->offset;
+		break;
+	default:
+		if ((size_t)len > maxoff)
+			len = maxoff;
 		p->ti = len - p->tcol->offset;
-		p->tcol->offset = len;
-	} else if (sign == 1) {
-		p->ti = len;
-		p->tcol->offset += len;
-	} else if ((size_t)len < p->tcol->offset) {
-		p->ti = -len;
-		p->tcol->offset -= len;
-	} else {
-		p->ti = -p->tcol->offset;
-		p->tcol->offset = 0;
+		break;
 	}
+	p->tcol->offset += p->ti;
 }
-- 
cgit v1.2.3