Fix a buffer overrun triggered by a trailing backslash at EOF in

an unclosed conditional body.  If the memory contained the byte
sequence "\}" after the end of the buffer before the next NUL, this
could even write beyond the end of the buffer, specifically '&' to
the location of the '}'.  Found by jsg@ with afl.

diff --git a/usr.bin/mandoc/roff.c b/usr.bin/mandoc/roff.c
index 65b4394..d7d1ff6 100644 (file)
--- a/usr.bin/mandoc/roff.c
+++ b/usr.bin/mandoc/roff.c
@@ -1,7 +1,7 @@
-/*     $OpenBSD: roff.c,v 1.118 2014/12/28 14:16:07 schwarze Exp $ */
+/*     $OpenBSD: roff.c,v 1.119 2015/01/01 19:28:29 schwarze Exp $ */
 /*
- * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2010, 2011, 2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
+ * Copyright (c) 2010-2015 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1161,7 +1161,8 @@ roff_cond_sub(ROFF_ARGS)
                        *ep = '&';
                        roff_ccond(r, ln, ep - buf->buf - 1);
                }
-               ++ep;
+               if (*ep != '\0')
+                       ++ep;
        }
        return(rr ? ROFF_CONT : ROFF_IGN);
 }
@@ -1181,7 +1182,8 @@ roff_cond_text(ROFF_ARGS)
                        *ep = '&';
                        roff_ccond(r, ln, ep - buf->buf - 1);
                }
-               ++ep;
+               if (*ep != '\0')
+                       ++ep;
        }
        return(rr ? ROFF_CONT : ROFF_IGN);
 }