From 031d1f01fc925d18b3af6e51565d51044023590b Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Thu, 1 Jan 2015 18:11:45 +0000
Subject: Fix a read buffer overrun triggered by trailing \s- or trailing \s+
 without the required subsequent argument; found by jsg@ with afl.

---
 mandoc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'mandoc.c')

diff --git a/mandoc.c b/mandoc.c
index cd26ff29..4975df00 100644
--- a/mandoc.c
+++ b/mandoc.c
@@ -1,7 +1,7 @@
-/*	$Id: mandoc.c,v 1.89 2014/12/15 17:30:30 schwarze Exp $ */
+/*	$Id: mandoc.c,v 1.90 2015/01/01 18:11:45 schwarze Exp $ */
 /*
- * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2008-2011, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
+ * Copyright (c) 2011-2015 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -225,7 +225,7 @@ mandoc_escape(const char **end, const char **start, int *sz)
 
 		/* See +/- counts as a sign. */
 		if ('+' == **end || '-' == **end || ASCII_HYPH == **end)
-			(*end)++;
+			*start = ++*end;
 
 		switch (**end) {
 		case '(':
-- 
cgit v1.2.3-56-ge451