diff options
| author |   Ingo Schwarze <schwarze@openbsd.org> | 2018-08-01 15:40:17 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2018-08-01 15:40:17 +0000 |
| commit | ca6f84339d4e4202a4cf23994fb07b21eefbbe5b (patch) | |
| tree | 06c7bfffcdef10ff99139c34675b9e3fccebf835 | |
| parent | 282fe21ce6f22578f85b7b8addcd20b3f99f40fe (diff) | |
| download | mandoc-ca6f84339d4e4202a4cf23994fb07b21eefbbe5b.tar.gz mandoc-ca6f84339d4e4202a4cf23994fb07b21eefbbe5b.tar.zst mandoc-ca6f84339d4e4202a4cf23994fb07b21eefbbe5b.zip | |
After rewriting the parse buffer from scratch, we also have to reset
the parse point to the beginning of the new buffer or we risk out
of bounds accesses. Bug found by Leah Neukirchen <leah at vuxu dot
org> with valgrind on Void Linux.
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | roff.c | 5 |
2 files changed, 8 insertions, 3 deletions
@@ -1,4 +1,4 @@ -$Id: NEWS,v 1.30 2018/08/01 13:46:15 schwarze Exp $ +$Id: NEWS,v 1.31 2018/08/01 15:40:17 schwarze Exp $ This file lists the most important changes in the mandoc.bsd.lv distribution. @@ -35,6 +35,8 @@ Changes in version 1.14.4, released on August XXX, 2018 * Only activate UTF-8 output when the user really selected UTF-8, not some other multibyte character encoding. * Prevent excessive .ll arguments from generating infinite output. + * Fix out of bounds accesses to parse buffers that could happen when + using renamed or user defined macros after roff(7) conditionals. * Avoid an assertion failure in certain .Bl -column lists. * Avoid a NULL pointer access on deroff() failure after '.SS ""'. * Fix a segfault that could be triggered by two invalid .Dt macros. @@ -60,7 +62,7 @@ Changes in version 1.14.4, released on August XXX, 2018 * Thomas Klausner (NetBSD) for suggesting two new style messages, one new feature, and for two bug reports. * Leah Neukirchen (Void Linux) for suggesting a new style message, - four bug reports, and release testing. + five bug reports, and release testing. * Anthony Bentley (OpenBSD) for reporting multiple bugs and missing features. * Paul Irofti (OpenBSD) and Nate Bargmann for suggesting new features. @@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.328 2018/04/11 17:11:13 schwarze Exp $ */ +/* $Id: roff.c,v 1.329 2018/08/01 15:40:17 schwarze Exp $ */ /* * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2015, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org> @@ -2845,6 +2845,7 @@ roff_TE(ROFF_ARGS) free(buf->buf); buf->buf = mandoc_strdup(".sp"); buf->sz = 4; + *offs = 0; return ROFF_REPARSE; } r->tbl = NULL; @@ -3364,6 +3365,7 @@ roff_userdef(ROFF_ARGS) ln, (int)(cp - n1), NULL); free(buf->buf); buf->buf = n1; + *offs = 0; return ROFF_IGN; } @@ -3458,6 +3460,7 @@ roff_renamed(ROFF_ARGS) buf->buf[pos] == '\0' ? "" : " ", buf->buf + pos) + 1; free(buf->buf); buf->buf = nbuf; + *offs = 0; return ROFF_CONT; } |