diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2014-12-16 01:22:59 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-12-16 01:22:59 +0000 |
commit | b58b21eb48153dd03bf34c28c5dd4c50bb815825 (patch) | |
tree | 0342ceb2ab4fb1c778325a2c7a89cb2786452679 /roff.c | |
parent | 30ea145900ca3b0e27b62eb6f5efb69bd217753d (diff) | |
download | mandoc-b58b21eb48153dd03bf34c28c5dd4c50bb815825.tar.gz mandoc-b58b21eb48153dd03bf34c28c5dd4c50bb815825.tar.zst mandoc-b58b21eb48153dd03bf34c28c5dd4c50bb815825.zip |
When a numerical condition errors out after consuming at least one
character of input, treat it as false, do not retry it as a string
comparison condition. This also fixes a read buffer overrun that
happened when the numerical condition advanced to the end of the
input line before erroring out, found by jsg@ with afl.
Diffstat (limited to 'roff.c')
-rw-r--r-- | roff.c | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.240 2014/12/15 23:43:26 schwarze Exp $ */ +/* $Id: roff.c,v 1.241 2014/12/16 01:22:59 schwarze Exp $ */ /* * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org> @@ -1249,7 +1249,7 @@ out: static int roff_evalcond(struct roff *r, int ln, const char *v, int *pos) { - int wanttrue, number; + int number, savepos, wanttrue; if ('!' == v[*pos]) { wanttrue = 0; @@ -1282,10 +1282,13 @@ roff_evalcond(struct roff *r, int ln, const char *v, int *pos) break; } + savepos = *pos; if (roff_evalnum(r, ln, v, pos, &number, 0)) return((number > 0) == wanttrue); - else + else if (*pos == savepos) return(roff_evalstrcond(v, pos) == wanttrue); + else + return (0); } static enum rofferr |