Protect against malicious manual pages containing .ll requests with

excessive arguments: apply the same cutoff as for the -O width=
command line argument.

While here, also place some assertions at strategical places to
prevent excessive indentations from being printed in case of bugs.
In the past, we had more than one bug that caused mandoc to print
effectively infinite output, filling up people's /tmp/ file system,
which is not funny.  We cannot prevent bugs from crashing the
program, but we can at least make filling up the disk less likely.

Triggered by a remark from sthen@ on source-changes@.

1 files changed, 7 insertions, 1 deletions

diff --git a/term_ascii.c b/term_ascii.c
index 43905634..f47ffd75 100644
--- a/term_ascii.c
+++ b/term_ascii.c
@@ -1,4 +1,4 @@
-/*	$Id: term_ascii.c,v 1.60 2018/04/13 18:31:00 schwarze Exp $ */
+/*	$Id: term_ascii.c,v 1.61 2018/05/20 21:37:34 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014, 2015, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org>
@@ -133,6 +133,8 @@ ascii_init(enum termenc enc, const struct manoutput *outopts)
 	if (outopts->synopsisonly)
 		p->synopsisonly = 1;
 
+	assert(p->defindent < UINT16_MAX);
+	assert(p->defrmargin < UINT16_MAX);
 	return p;
 }
 
@@ -171,6 +173,8 @@ ascii_setwidth(struct termp *p, int iop, int width)
 		p->defrmargin -= width;
 	else
 		p->defrmargin = 0;
+	if (p->defrmargin > 1000)
+		p->defrmargin = 1000;
 	p->lastrmargin = p->tcol->rmargin;
 	p->tcol->rmargin = p->maxrmargin = p->defrmargin;
 }
@@ -239,6 +243,7 @@ ascii_advance(struct termp *p, size_t len)
 {
 	size_t		i;
 
+	assert(len < UINT16_MAX);
 	for (i = 0; i < len; i++)
 		putchar(' ');
 }
@@ -376,6 +381,7 @@ locale_advance(struct termp *p, size_t len)
 {
 	size_t		i;
 
+	assert(len < UINT16_MAX);
 	for (i = 0; i < len; i++)
 		putwchar(L' ');
 }