From 09a8bdf0f2fa584f57aa5d897c98eae1f48ae719 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Wed, 24 Dec 2014 15:38:55 +0000
Subject: Prevent unsigned integer underflow when a number is too wide for a
 table cell with an "nz" layout specification, causing essentially infinite
 output as found by jsg@ with afl.

---
 tbl_term.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'tbl_term.c')

diff --git a/tbl_term.c b/tbl_term.c
index 0275b1a2..8f0c786c 100644
--- a/tbl_term.c
+++ b/tbl_term.c
@@ -1,4 +1,4 @@
-/*	$Id: tbl_term.c,v 1.31 2014/10/14 18:18:05 schwarze Exp $ */
+/*	$Id: tbl_term.c,v 1.32 2014/12/24 15:38:55 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -417,9 +417,13 @@ tbl_number(struct termp *tp, const struct tbl_opts *opts,
 	} else
 		d = sz + psz;
 
-	padl = col->decimal - d;
-
-	tbl_char(tp, ASCII_NBRSP, padl);
+	if (col->decimal > d && col->width > sz) {
+		padl = col->decimal - d;
+		if (padl + sz > col->width)
+			padl = col->width - sz;
+		tbl_char(tp, ASCII_NBRSP, padl);
+	} else
+		padl = 0;
 	tbl_word(tp, dp);
 	if (col->width > sz + padl)
 		tbl_char(tp, ASCII_NBRSP, col->width - sz - padl);
-- 
cgit v1.2.3