improve previous: do the size check up front to avoid leaking memory

1 files changed, 5 insertions, 7 deletions

diff --git a/roff.c b/roff.c
index 8f67e84d..c421ea29 100644
--- a/roff.c
+++ b/roff.c
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.245 2014/12/25 17:23:32 schwarze Exp $ */
+/*	$Id: roff.c,v 1.246 2014/12/28 14:16:26 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -651,6 +651,10 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos)
 			    r->parse, ln, (int)(stesc - buf->buf),
 			    "%.*s", (int)naml, stnam);
 			res = "";
+		} else if (buf->sz + strlen(res) > SHRT_MAX) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(stesc - buf->buf), NULL);
+			return(ROFF_IGN);
 		}
 
 		/* Replace the escape sequence by the string. */
@@ -659,12 +663,6 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos)
 		buf->sz = mandoc_asprintf(&nbuf, "%s%s%s",
 		    buf->buf, res, cp) + 1;
 
-		if (buf->sz > SHRT_MAX) {
-			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
-			    ln, (int)(stesc - buf->buf), NULL);
-			return(ROFF_IGN);
-		}
-
 		/* Prepare for the next replacement. */
 
 		start = nbuf + pos;