diff options
| author |   Ingo Schwarze <schwarze@openbsd.org> | 2014-12-25 17:23:32 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-12-25 17:23:32 +0000 |
| commit | a0fabe9e5d1cf74cb10020f34f185de90187b8e7 (patch) | |
| tree | 51d6e679dc960e1d827712ffa182c77b369ede68 | |
| parent | 99675b100277273906e22e0a39880cb928874a24 (diff) | |
| download | mandoc-a0fabe9e5d1cf74cb10020f34f185de90187b8e7.tar.gz mandoc-a0fabe9e5d1cf74cb10020f34f185de90187b8e7.tar.zst mandoc-a0fabe9e5d1cf74cb10020f34f185de90187b8e7.zip | |
Reduce memory and time consumption on certain malformed input files
by limiting the length of expanded input lines during the
(usually recursive) expansion of user defined strings.
Resource hogging found by jsg@ with afl.
| -rw-r--r-- | roff.7 | 10 | ||||
| -rw-r--r-- | roff.c | 9 |
2 files changed, 14 insertions, 5 deletions
@@ -1,4 +1,4 @@ -.\" $Id: roff.7,v 1.60 2014/12/02 10:08:06 schwarze Exp $ +.\" $Id: roff.7,v 1.61 2014/12/25 17:23:32 schwarze Exp $ .\" .\" Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> .\" Copyright (c) 2010, 2011, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 2 2014 $ +.Dd $Mdocdate: December 25 2014 $ .Dt ROFF 7 .Os .Sh NAME @@ -543,8 +543,10 @@ one explicit newline character. In order to prevent endless recursion, both groff and .Xr mandoc 1 limit the stack depth for expanding macros and strings -to a large, but finite number. -Do not rely on the exact value of this limit. +to a large, but finite number, and +.Xr mandoc 1 +also limits the length of the expanded input line. +Do not rely on the exact values of these limits. .Ss \&dei Define a .Nm @@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.244 2014/12/18 17:43:41 schwarze Exp $ */ +/* $Id: roff.c,v 1.245 2014/12/25 17:23:32 schwarze Exp $ */ /* * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org> @@ -21,6 +21,7 @@ #include <assert.h> #include <ctype.h> +#include <limits.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -658,6 +659,12 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos) buf->sz = mandoc_asprintf(&nbuf, "%s%s%s", buf->buf, res, cp) + 1; + if (buf->sz > SHRT_MAX) { + mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, + ln, (int)(stesc - buf->buf), NULL); + return(ROFF_IGN); + } + /* Prepare for the next replacement. */ start = nbuf + pos; |