diff options
| author |   Ingo Schwarze <schwarze@openbsd.org> | 2015-02-10 11:03:13 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2015-02-10 11:03:13 +0000 |
| commit | 25662a4940503ffb064a92f60db8cd83050b1878 (patch) | |
| tree | ebd3a989907ff2553c24cb89161877368d0d7f23 /tbl_layout.c | |
| parent | 2f05117d9472fd6926678d83a6d992924f8809ef (diff) | |
| download | mandoc-25662a4940503ffb064a92f60db8cd83050b1878.tar.gz mandoc-25662a4940503ffb064a92f60db8cd83050b1878.tar.zst mandoc-25662a4940503ffb064a92f60db8cd83050b1878.zip | |
Do not read past the end of the buffer if an "f" layout font modifier
is followed by the end of the input line instead of a font specifier.
Found by jsg@ with afl, test case #591.
While here, improve functionality as well:
* There is no "r" font modifier.
* Font specifiers (as opposed to font modifiers) are case sensitive.
* One-character font specifiers require trailing whitespace.
* Ignore parenthised and two-letter font specifiers.
Diffstat (limited to 'tbl_layout.c')
| -rw-r--r-- | tbl_layout.c | 38 |
1 files changed, 27 insertions, 11 deletions
diff --git a/tbl_layout.c b/tbl_layout.c index dc745b33..ed9acc9c 100644 --- a/tbl_layout.c +++ b/tbl_layout.c @@ -1,4 +1,4 @@ -/* $Id: tbl_layout.c,v 1.37 2015/01/30 04:11:50 schwarze Exp $ */ +/* $Id: tbl_layout.c,v 1.38 2015/02/10 11:03:13 schwarze Exp $ */ /* * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2012, 2014, 2015 Ingo Schwarze <schwarze@openbsd.org> @@ -97,12 +97,8 @@ mod: switch (tolower((unsigned char)p[(*pos)++])) { case 'b': - /* FALLTHROUGH */ - case 'i': - /* FALLTHROUGH */ - case 'r': - (*pos)--; - break; + cp->flags |= TBL_CELL_BOLD; + goto mod; case 'd': cp->flags |= TBL_CELL_BALIGN; goto mod; @@ -111,6 +107,9 @@ mod: goto mod; case 'f': break; + case 'i': + cp->flags |= TBL_CELL_ITALIC; + goto mod; case 'm': mandoc_msg(MANDOCERR_TBLLAYOUT_MOD, tbl->parse, ln, *pos, "m"); @@ -150,20 +149,37 @@ mod: goto mod; } - switch (tolower((unsigned char)p[(*pos)++])) { + /* Ignore parenthised font names for now. */ + + if (p[*pos] == '(') + goto mod; + + /* Support only one-character font-names for now. */ + + if (p[*pos] == '\0' || (p[*pos + 1] != ' ' && p[*pos + 1] != '.')) { + mandoc_vmsg(MANDOCERR_FT_BAD, tbl->parse, + ln, *pos, "TS %s", p + *pos - 1); + if (p[*pos] != '\0') + (*pos)++; + if (p[*pos] != '\0') + (*pos)++; + goto mod; + } + + switch (p[(*pos)++]) { case '3': /* FALLTHROUGH */ - case 'b': + case 'B': cp->flags |= TBL_CELL_BOLD; goto mod; case '2': /* FALLTHROUGH */ - case 'i': + case 'I': cp->flags |= TBL_CELL_ITALIC; goto mod; case '1': /* FALLTHROUGH */ - case 'r': + case 'R': goto mod; default: mandoc_vmsg(MANDOCERR_FT_BAD, tbl->parse, |