2 files changed, 8 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index a71e41ca..03cdc10d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,4 @@
-$Id: NEWS,v 1.30 2018/08/01 13:46:15 schwarze Exp $
+$Id: NEWS,v 1.31 2018/08/01 15:40:17 schwarze Exp $
 
 This file lists the most important changes in the mandoc.bsd.lv distribution.
 
@@ -35,6 +35,8 @@ Changes in version 1.14.4, released on August XXX, 2018
  * Only activate UTF-8 output when the user really selected UTF-8,
    not some other multibyte character encoding.
  * Prevent excessive .ll arguments from generating infinite output.
+ * Fix out of bounds accesses to parse buffers that could happen when
+   using renamed or user defined macros after roff(7) conditionals.
  * Avoid an assertion failure in certain .Bl -column lists.
  * Avoid a NULL pointer access on deroff() failure after '.SS ""'.
  * Fix a segfault that could be triggered by two invalid .Dt macros.
@@ -60,7 +62,7 @@ Changes in version 1.14.4, released on August XXX, 2018
  * Thomas Klausner (NetBSD) for suggesting two new style messages,
    one new feature, and for two bug reports.
  * Leah Neukirchen (Void Linux) for suggesting a new style message,
-   four bug reports, and release testing.
+   five bug reports, and release testing.
  * Anthony Bentley (OpenBSD) for reporting multiple bugs and missing
    features.
  * Paul Irofti (OpenBSD) and Nate Bargmann for suggesting new features.
diff --git a/roff.c b/roff.c
index c0ccca87..86e145e3 100644
--- a/roff.c
+++ b/roff.c
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.328 2018/04/11 17:11:13 schwarze Exp $ */
+/*	$Id: roff.c,v 1.329 2018/08/01 15:40:17 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2015, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org>
@@ -2845,6 +2845,7 @@ roff_TE(ROFF_ARGS)
 		free(buf->buf);
 		buf->buf = mandoc_strdup(".sp");
 		buf->sz = 4;
+		*offs = 0;
 		return ROFF_REPARSE;
 	}
 	r->tbl = NULL;
@@ -3364,6 +3365,7 @@ roff_userdef(ROFF_ARGS)
 			    ln, (int)(cp - n1), NULL);
 			free(buf->buf);
 			buf->buf = n1;
+			*offs = 0;
 			return ROFF_IGN;
 		}
 
@@ -3458,6 +3460,7 @@ roff_renamed(ROFF_ARGS)
 	    buf->buf[pos] == '\0' ? "" : " ", buf->buf + pos) + 1;
 	free(buf->buf);
 	buf->buf = nbuf;
+	*offs = 0;
 	return ROFF_CONT;
 }