Fix a corner case where \H<nil> (where <nil> is the \0 character) would

cause mandoc_escape() to read past the end of an allocated string. Found when a script scanning of all Mac OSX manual accidentally also scanned binary (gzip'd) files, discussed with schwarze@ on tech@.
author: Kristaps Dzonsons <kristaps@bsd.lv> 2014-08-18 09:11:47 +0000
committer: Kristaps Dzonsons <kristaps@bsd.lv> 2014-08-18 09:11:47 +0000
commit: 9c36db1cacb75563c9a544bababb0ca9d08844a0 (patch)
tree: 0fa691c63bfe47982fbfe1150a48ff37e60a8f92 /mandoc.c
parent: 433225aa5c972c772c1c63614b12c9be6a42c910 (diff)
download: mandoc-9c36db1cacb75563c9a544bababb0ca9d08844a0.tar.gz
mandoc-9c36db1cacb75563c9a544bababb0ca9d08844a0.tar.zst
mandoc-9c36db1cacb75563c9a544bababb0ca9d08844a0.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/mandoc.c b/mandoc.c
index 0ef12433..be3e264c 100644
--- a/mandoc.c
+++ b/mandoc.c
@@ -1,4 +1,4 @@
-/*	$Id: mandoc.c,v 1.85 2014/08/16 19:00:01 schwarze Exp $ */
+/*	$Id: mandoc.c,v 1.86 2014/08/18 09:11:47 kristaps Exp $ */
 /*
  * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -199,7 +199,8 @@ mandoc_escape(const char **end, const char **start, int *sz)
 		/* FALLTHROUGH */
 	case 'x':
 		if (strchr(" %&()*+-./0123456789:<=>", **start)) {
-			++*end;
+			if ('\0' != **start)
+				++*end;
 			return(ESCAPE_ERROR);
 		}
 		gly = ESCAPE_IGNORE;
author	Kristaps Dzonsons <kristaps@bsd.lv>	2014-08-18 09:11:47 +0000
committer	Kristaps Dzonsons <kristaps@bsd.lv>	2014-08-18 09:11:47 +0000
commit	9c36db1cacb75563c9a544bababb0ca9d08844a0 (patch)
tree	0fa691c63bfe47982fbfe1150a48ff37e60a8f92 /mandoc.c
parent	433225aa5c972c772c1c63614b12c9be6a42c910 (diff)
download	mandoc-9c36db1cacb75563c9a544bababb0ca9d08844a0.tar.gz mandoc-9c36db1cacb75563c9a544bababb0ca9d08844a0.tar.zst mandoc-9c36db1cacb75563c9a544bababb0ca9d08844a0.zip