Fix blunder in previous: we must keep the line parse buffer

consistent even when aborting the parsing of the line. That buffer is not our own, but owned and reused by mparse_buf_r(), read.c. Returning without cleanup leaked memory and caused write overruns of the old, typically much smaller buffer in mparse_buf_r(). Promptly noticed by tb@ with afl(1), using MALLOC_OPTIONS=C.
author: Ingo Schwarze <schwarze@openbsd.org> 2017-03-09 15:29:35 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2017-03-09 15:29:35 +0000
commit: 1bcee936fd224aaaa41b2710414512ea400c79f0 (patch)
tree: b15bd35d9233f4a9812e757a5bbcd69455538f15 /roff.c
parent: 45fc5a37fb711aa526cb48490fba3c3c2ec09adc (diff)
download: mandoc-1bcee936fd224aaaa41b2710414512ea400c79f0.tar.gz
mandoc-1bcee936fd224aaaa41b2710414512ea400c79f0.tar.zst
mandoc-1bcee936fd224aaaa41b2710414512ea400c79f0.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/roff.c b/roff.c
index cf9a1baa..268d6470 100644
--- a/roff.c
+++ b/roff.c
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.292 2017/03/08 13:18:10 schwarze Exp $ */
+/*	$Id: roff.c,v 1.293 2017/03/09 15:29:35 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2015, 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -3092,6 +3092,8 @@ roff_userdef(ROFF_ARGS)
 		else if (++expand_count > EXPAND_LIMIT) {
 			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
 			    ln, (int)(cp - n1), NULL);
+			free(buf->buf);
+			buf->buf = n1;
 			return ROFF_IGN;
 		}
author	Ingo Schwarze <schwarze@openbsd.org>	2017-03-09 15:29:35 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2017-03-09 15:29:35 +0000
commit	1bcee936fd224aaaa41b2710414512ea400c79f0 (patch)
tree	b15bd35d9233f4a9812e757a5bbcd69455538f15 /roff.c
parent	45fc5a37fb711aa526cb48490fba3c3c2ec09adc (diff)
download	mandoc-1bcee936fd224aaaa41b2710414512ea400c79f0.tar.gz mandoc-1bcee936fd224aaaa41b2710414512ea400c79f0.tar.zst mandoc-1bcee936fd224aaaa41b2710414512ea400c79f0.zip