After rewriting the parse buffer from scratch, we also have to reset

the parse point to the beginning of the new buffer or we risk out
of bounds accesses.  Bug found by Leah Neukirchen <leah at vuxu dot
org> with valgrind on Void Linux.

1 files changed, 4 insertions, 1 deletions

diff --git a/roff.c b/roff.c
index c0ccca87..86e145e3 100644
--- a/roff.c
+++ b/roff.c
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.328 2018/04/11 17:11:13 schwarze Exp $ */
+/*	$Id: roff.c,v 1.329 2018/08/01 15:40:17 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2015, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org>
@@ -2845,6 +2845,7 @@ roff_TE(ROFF_ARGS)
 		free(buf->buf);
 		buf->buf = mandoc_strdup(".sp");
 		buf->sz = 4;
+		*offs = 0;
 		return ROFF_REPARSE;
 	}
 	r->tbl = NULL;
@@ -3364,6 +3365,7 @@ roff_userdef(ROFF_ARGS)
 			    ln, (int)(cp - n1), NULL);
 			free(buf->buf);
 			buf->buf = n1;
+			*offs = 0;
 			return ROFF_IGN;
 		}
 
@@ -3458,6 +3460,7 @@ roff_renamed(ROFF_ARGS)
 	    buf->buf[pos] == '\0' ? "" : " ", buf->buf + pos) + 1;
 	free(buf->buf);
 	buf->buf = nbuf;
+	*offs = 0;
 	return ROFF_CONT;
 }