While doing delayed expansion of escape sequences in macro arguments,

correctly check for failure of the in-place expansion function.
If an argument not only does recursive delayed expansion
but infinitely recursive delayed expansion, this bug could
result in an ESCAPE_EXPAND assertion failure.

Thanks to Eric van Gyzen <vangyzen at FreeBSD> for finding this bug
by inspecting FreeBSD source code.

diff --git a/usr.bin/mandoc/roff.c b/usr.bin/mandoc/roff.c
index 20aa69c..4a2784b 100644 (file)
--- a/usr.bin/mandoc/roff.c
+++ b/usr.bin/mandoc/roff.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: roff.c,v 1.269 2023/10/21 17:10:12 schwarze Exp $ */
+/* $OpenBSD: roff.c,v 1.270 2023/10/22 16:01:58 schwarze Exp $ */
 /*
  * Copyright (c) 2010-2015, 2017-2022 Ingo Schwarze <schwarze@openbsd.org>
  * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -1687,7 +1687,7 @@ roff_getarg(struct roff *r, char **cpp, int ln, int *pos)
        buf.buf = start;
        buf.sz = strlen(start) + 1;
        buf.next = NULL;
-       if (roff_expand(r, &buf, ln, 0, '\\') & ROFF_IGN) {
+       if (roff_expand(r, &buf, ln, 0, '\\') == ROFF_IGN) {
                free(buf.buf);
                buf.buf = mandoc_strdup("");
        }