From 00e80a2ae7780e0c7683cf6d339d3229e9d2c3e7 Mon Sep 17 00:00:00 2001
From: schwarze <schwarze@openbsd.org>
Date: Wed, 1 Aug 2018 13:44:15 +0000
Subject: [PATCH] Avoid a read access one byte beyond the end of an allocated
 string which occurred in situations like ".Fl a Cm --"; found by Leah
 Neukirchen <leah at vuxu dot org> with valgrind on Void Linux.

---
 usr.bin/mandoc/mdoc_validate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr.bin/mandoc/mdoc_validate.c b/usr.bin/mandoc/mdoc_validate.c
index 4225aa7ebe5..c2e1b72e3c6 100644
--- a/usr.bin/mandoc/mdoc_validate.c
+++ b/usr.bin/mandoc/mdoc_validate.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mdoc_validate.c,v 1.273 2018/04/11 17:10:35 schwarze Exp $ */
+/*	$OpenBSD: mdoc_validate.c,v 1.274 2018/08/01 13:44:15 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2018 Ingo Schwarze <schwarze@openbsd.org>
@@ -438,7 +438,7 @@ check_text_em(struct roff_man *mdoc, int ln, int pos, char *p)
 		     np->string != '\0' &&
 		     isalpha((unsigned char)np->string[
 		       strlen(np->string) - 1])) ||
-		    (cp[2] != '\0' ?
+		    (cp[1] != '\0' && cp[2] != '\0' ?
 		     isalpha((unsigned char)cp[2]) :
 		     nn != NULL &&
 		     nn->type == ROFFT_TEXT &&
-- 
2.20.1