diff options
| author |   Ingo Schwarze <schwarze@openbsd.org> | 2014-12-24 15:38:55 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-12-24 15:38:55 +0000 |
| commit | 09a8bdf0f2fa584f57aa5d897c98eae1f48ae719 (patch) | |
| tree | 91c4d9f2dc5171c372cc3a95d714b194e0a725de /tbl_term.c | |
| parent | fb95344148cb8c3ffd77776cedee32c2661cffa1 (diff) | |
| download | mandoc-09a8bdf0f2fa584f57aa5d897c98eae1f48ae719.tar.gz mandoc-09a8bdf0f2fa584f57aa5d897c98eae1f48ae719.tar.zst mandoc-09a8bdf0f2fa584f57aa5d897c98eae1f48ae719.zip | |
Prevent unsigned integer underflow when a number is too wide
for a table cell with an "nz" layout specification,
causing essentially infinite output as found by jsg@ with afl.
Diffstat (limited to 'tbl_term.c')
| -rw-r--r-- | tbl_term.c | 12 |
1 files changed, 8 insertions, 4 deletions
@@ -1,4 +1,4 @@ -/* $Id: tbl_term.c,v 1.31 2014/10/14 18:18:05 schwarze Exp $ */ +/* $Id: tbl_term.c,v 1.32 2014/12/24 15:38:55 schwarze Exp $ */ /* * Copyright (c) 2009, 2011 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2011, 2012, 2014 Ingo Schwarze <schwarze@openbsd.org> @@ -417,9 +417,13 @@ tbl_number(struct termp *tp, const struct tbl_opts *opts, } else d = sz + psz; - padl = col->decimal - d; - - tbl_char(tp, ASCII_NBRSP, padl); + if (col->decimal > d && col->width > sz) { + padl = col->decimal - d; + if (padl + sz > col->width) + padl = col->width - sz; + tbl_char(tp, ASCII_NBRSP, padl); + } else + padl = 0; tbl_word(tp, dp); if (col->width > sz + padl) tbl_char(tp, ASCII_NBRSP, col->width - sz - padl); |