diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2017-03-09 15:29:35 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2017-03-09 15:29:35 +0000 |
commit | 1bcee936fd224aaaa41b2710414512ea400c79f0 (patch) | |
tree | b15bd35d9233f4a9812e757a5bbcd69455538f15 | |
parent | 45fc5a37fb711aa526cb48490fba3c3c2ec09adc (diff) | |
download | mandoc-1bcee936fd224aaaa41b2710414512ea400c79f0.tar.gz mandoc-1bcee936fd224aaaa41b2710414512ea400c79f0.tar.zst mandoc-1bcee936fd224aaaa41b2710414512ea400c79f0.zip |
Fix blunder in previous: we must keep the line parse buffer
consistent even when aborting the parsing of the line. That buffer
is not our own, but owned and reused by mparse_buf_r(), read.c.
Returning without cleanup leaked memory and caused write overruns
of the old, typically much smaller buffer in mparse_buf_r().
Promptly noticed by tb@ with afl(1), using MALLOC_OPTIONS=C.
-rw-r--r-- | roff.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.292 2017/03/08 13:18:10 schwarze Exp $ */ +/* $Id: roff.c,v 1.293 2017/03/09 15:29:35 schwarze Exp $ */ /* * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2015, 2017 Ingo Schwarze <schwarze@openbsd.org> @@ -3092,6 +3092,8 @@ roff_userdef(ROFF_ARGS) else if (++expand_count > EXPAND_LIMIT) { mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, ln, (int)(cp - n1), NULL); + free(buf->buf); + buf->buf = n1; return ROFF_IGN; } |