diff options
author | 2014-12-16 03:53:43 +0000 | |
---|---|---|
committer | 2014-12-16 03:53:43 +0000 | |
commit | a055c5a463de86365cc98c7fec31a8184cbf1674 (patch) | |
tree | 48ffddf4aa88a2714fec372fd2c22ad738a84d24 | |
parent | b58b21eb48153dd03bf34c28c5dd4c50bb815825 (diff) | |
download | mandoc-a055c5a463de86365cc98c7fec31a8184cbf1674.tar.gz mandoc-a055c5a463de86365cc98c7fec31a8184cbf1674.tar.zst mandoc-a055c5a463de86365cc98c7fec31a8184cbf1674.zip |
When a string comparison condition contains no mismatching character
but ends without the final delimiter, the parse point was advanced
one character too far and the invalid pointer returned to the
caller of roff_parseln(). Later use could potentially advance
the pointer even further and maybe even write to it.
Fixing a buffer overrun found by jsg@ with afl (the most severe so far).
-rw-r--r-- | roff.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.241 2014/12/16 01:22:59 schwarze Exp $ */ +/* $Id: roff.c,v 1.242 2014/12/16 03:53:43 schwarze Exp $ */ /* * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org> @@ -1236,7 +1236,7 @@ roff_evalstrcond(const char *v, int *pos) out: if (NULL == s3) s3 = strchr(s2, '\0'); - else + else if (*s3 != '\0') s3++; *pos = s3 - v; return(match); |