diff options
author | 2017-07-31 15:19:06 +0000 | |
---|---|---|
committer | 2017-07-31 15:19:06 +0000 | |
commit | ea3e75363c1a526374ce4922e3ad0823294ef755 (patch) | |
tree | e18aae1a351c6890087bc93781008501952720fa /man_term.c | |
parent | 3f6fd5631f971c253e67669ec511eff707c1de29 (diff) | |
download | mandoc-ea3e75363c1a526374ce4922e3ad0823294ef755.tar.gz mandoc-ea3e75363c1a526374ce4922e3ad0823294ef755.tar.zst mandoc-ea3e75363c1a526374ce4922e3ad0823294ef755.zip |
Fix an out of bounds read access to a constant array that caused
segfaults on certain hardened versions of glibc. Triggered by .sp
or blank lines right before .SS or .SH, or before the first .Sh.
Found the hard way by Dr. Markus Waldner on Debian
and by Leah Neukirchen on Void Linux.
Diffstat (limited to 'man_term.c')
-rw-r--r-- | man_term.c | 6 |
1 files changed, 3 insertions, 3 deletions
@@ -1,4 +1,4 @@ -/* $Id: man_term.c,v 1.208 2017/06/25 11:42:02 schwarze Exp $ */ +/* $Id: man_term.c,v 1.209 2017/07/31 15:19:06 schwarze Exp $ */ /* * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2015, 2017 Ingo Schwarze <schwarze@openbsd.org> @@ -673,7 +673,7 @@ pre_SS(DECL_ARGS) do { n = n->prev; - } while (n != NULL && n->tok != TOKEN_NONE && + } while (n != NULL && n->tok >= MAN_TH && termacts[n->tok].flags & MAN_NOTEXT); if (n == NULL || (n->tok == MAN_SS && n->body->child == NULL)) break; @@ -735,7 +735,7 @@ pre_SH(DECL_ARGS) do { n = n->prev; - } while (n != NULL && n->tok != TOKEN_NONE && + } while (n != NULL && n->tok >= MAN_TH && termacts[n->tok].flags & MAN_NOTEXT); if (n == NULL || (n->tok == MAN_SH && n->body->child == NULL)) break; |