When a numerical condition errors out after consuming at least one

character of input, treat it as false, do not retry it as a string
comparison condition.  This also fixes a read buffer overrun that
happened when the numerical condition advanced to the end of the
input line before erroring out, found by jsg@ with afl.

1 files changed, 6 insertions, 3 deletions

diff --git a/roff.c b/roff.c
index 669a1cdb..37a03621 100644
--- a/roff.c
+++ b/roff.c
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.240 2014/12/15 23:43:26 schwarze Exp $ */
+/*	$Id: roff.c,v 1.241 2014/12/16 01:22:59 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -1249,7 +1249,7 @@ out:
 static int
 roff_evalcond(struct roff *r, int ln, const char *v, int *pos)
 {
-	int	 wanttrue, number;
+	int	 number, savepos, wanttrue;
 
 	if ('!' == v[*pos]) {
 		wanttrue = 0;
@@ -1282,10 +1282,13 @@ roff_evalcond(struct roff *r, int ln, const char *v, int *pos)
 		break;
 	}
 
+	savepos = *pos;
 	if (roff_evalnum(r, ln, v, pos, &number, 0))
 		return((number > 0) == wanttrue);
-	else
+	else if (*pos == savepos)
 		return(roff_evalstrcond(v, pos) == wanttrue);
+	else
+		return (0);
 }
 
 static enum rofferr