From 1c972bdca42560b7e203458ca4ffa11c584cd149 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sun, 6 Sep 2020 14:45:22 +0000
Subject: After .ti, there are many reasons why the offset may change, so
 setting it back later requires a guard against underflow, or subsequent
 assertions may fail. Issue found in an afl run performed by Jan Schreiber
 <jes at posteo dot de>.

---
 term_ascii.c | 14 ++++++++++----
 term_ps.c    |  9 ++++++---
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/term_ascii.c b/term_ascii.c
index 368623ca..4e06a739 100644
--- a/term_ascii.c
+++ b/term_ascii.c
@@ -1,7 +1,7 @@
-/*	$Id: term_ascii.c,v 1.64 2018/11/28 14:23:06 schwarze Exp $ */
+/* $Id: term_ascii.c,v 1.65 2020/09/06 14:45:22 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2014, 2015, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2014,2015,2017,2018,2020 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -232,7 +232,10 @@ ascii_endline(struct termp *p)
 {
 
 	p->line++;
-	p->tcol->offset -= p->ti;
+	if ((int)p->tcol->offset > p->ti)
+		p->tcol->offset -= p->ti;
+	else
+		p->tcol->offset = 0;
 	p->ti = 0;
 	putchar('\n');
 }
@@ -390,7 +393,10 @@ locale_endline(struct termp *p)
 {
 
 	p->line++;
-	p->tcol->offset -= p->ti;
+	if ((int)p->tcol->offset > p->ti)
+		p->tcol->offset -= p->ti;
+	else 
+		p->tcol->offset = 0;
 	p->ti = 0;
 	putwchar(L'\n');
 }
diff --git a/term_ps.c b/term_ps.c
index 2cd94c92..374d3d9a 100644
--- a/term_ps.c
+++ b/term_ps.c
@@ -1,7 +1,7 @@
-/*	$Id: term_ps.c,v 1.91 2017/11/10 23:42:52 schwarze Exp $ */
+/* $Id: term_ps.c,v 1.92 2020/09/06 14:45:22 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2014, 2015, 2016, 2017 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2014,2015,2016,2017,2020 Ingo Schwarze <schwarze@openbsd.org>
  * Copyright (c) 2017 Marc Espie <espie@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -1252,7 +1252,10 @@ ps_endline(struct termp *p)
 
 	ps_closepage(p);
 
-	p->tcol->offset -= p->ti;
+	if ((int)p->tcol->offset > p->ti)
+		p->tcol->offset -= p->ti;
+	else 
+		p->tcol->offset = 0;
 	p->ti = 0;
 }
 
-- 
cgit v1.2.3-56-ge451