From 9c36db1cacb75563c9a544bababb0ca9d08844a0 Mon Sep 17 00:00:00 2001
From: Kristaps Dzonsons <kristaps@bsd.lv>
Date: Mon, 18 Aug 2014 09:11:47 +0000
Subject: Fix a corner case where \H<nil> (where <nil> is the \0 character)
 would cause mandoc_escape() to read past the end of an allocated string.
 Found when a script scanning of all Mac OSX manual accidentally also scanned
 binary (gzip'd) files, discussed with schwarze@ on tech@.

---
 mandoc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'mandoc.c')

diff --git a/mandoc.c b/mandoc.c
index 0ef12433..be3e264c 100644
--- a/mandoc.c
+++ b/mandoc.c
@@ -1,4 +1,4 @@
-/*	$Id: mandoc.c,v 1.85 2014/08/16 19:00:01 schwarze Exp $ */
+/*	$Id: mandoc.c,v 1.86 2014/08/18 09:11:47 kristaps Exp $ */
 /*
  * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -199,7 +199,8 @@ mandoc_escape(const char **end, const char **start, int *sz)
 		/* FALLTHROUGH */
 	case 'x':
 		if (strchr(" %&()*+-./0123456789:<=>", **start)) {
-			++*end;
+			if ('\0' != **start)
+				++*end;
 			return(ESCAPE_ERROR);
 		}
 		gly = ESCAPE_IGNORE;
-- 
cgit v1.2.3-56-ge451