From 1bcee936fd224aaaa41b2710414512ea400c79f0 Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Thu, 9 Mar 2017 15:29:35 +0000 Subject: Fix blunder in previous: we must keep the line parse buffer consistent even when aborting the parsing of the line. That buffer is not our own, but owned and reused by mparse_buf_r(), read.c. Returning without cleanup leaked memory and caused write overruns of the old, typically much smaller buffer in mparse_buf_r(). Promptly noticed by tb@ with afl(1), using MALLOC_OPTIONS=C. --- roff.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roff.c b/roff.c index cf9a1baa..268d6470 100644 --- a/roff.c +++ b/roff.c @@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.292 2017/03/08 13:18:10 schwarze Exp $ */ +/* $Id: roff.c,v 1.293 2017/03/09 15:29:35 schwarze Exp $ */ /* * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons * Copyright (c) 2010-2015, 2017 Ingo Schwarze @@ -3092,6 +3092,8 @@ roff_userdef(ROFF_ARGS) else if (++expand_count > EXPAND_LIMIT) { mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, ln, (int)(cp - n1), NULL); + free(buf->buf); + buf->buf = n1; return ROFF_IGN; } -- cgit v1.2.3-56-ge451