diff options
| -rw-r--r-- | roff.7 | 10 | ||||
| -rw-r--r-- | roff.c | 9 |
2 files changed, 14 insertions, 5 deletions
@@ -1,4 +1,4 @@ -.\" $Id: roff.7,v 1.60 2014/12/02 10:08:06 schwarze Exp $ +.\" $Id: roff.7,v 1.61 2014/12/25 17:23:32 schwarze Exp $ .\" .\" Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> .\" Copyright (c) 2010, 2011, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 2 2014 $ +.Dd $Mdocdate: December 25 2014 $ .Dt ROFF 7 .Os .Sh NAME @@ -543,8 +543,10 @@ one explicit newline character. In order to prevent endless recursion, both groff and .Xr mandoc 1 limit the stack depth for expanding macros and strings -to a large, but finite number. -Do not rely on the exact value of this limit. +to a large, but finite number, and +.Xr mandoc 1 +also limits the length of the expanded input line. +Do not rely on the exact values of these limits. .Ss \&dei Define a .Nm @@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.244 2014/12/18 17:43:41 schwarze Exp $ */ +/* $Id: roff.c,v 1.245 2014/12/25 17:23:32 schwarze Exp $ */ /* * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org> @@ -21,6 +21,7 @@ #include <assert.h> #include <ctype.h> +#include <limits.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -658,6 +659,12 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos) buf->sz = mandoc_asprintf(&nbuf, "%s%s%s", buf->buf, res, cp) + 1; + if (buf->sz > SHRT_MAX) { + mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, + ln, (int)(stesc - buf->buf), NULL); + return(ROFF_IGN); + } + /* Prepare for the next replacement. */ start = nbuf + pos; |