From 1a5d26ae4bbfe5c0d2618b1acac1d61d58e451f4 Mon Sep 17 00:00:00 2001 From: schwarze Date: Thu, 1 Jan 2015 19:28:29 +0000 Subject: [PATCH] Fix a buffer overrun triggered by a trailing backslash at EOF in an unclosed conditional body. If the memory contained the byte sequence "\}" after the end of the buffer before the next NUL, this could even write beyond the end of the buffer, specifically '&' to the location of the '}'. Found by jsg@ with afl. --- usr.bin/mandoc/roff.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/usr.bin/mandoc/roff.c b/usr.bin/mandoc/roff.c index 65b43948f6f..d7d1ff61ca9 100644 --- a/usr.bin/mandoc/roff.c +++ b/usr.bin/mandoc/roff.c @@ -1,7 +1,7 @@ -/* $OpenBSD: roff.c,v 1.118 2014/12/28 14:16:07 schwarze Exp $ */ +/* $OpenBSD: roff.c,v 1.119 2015/01/01 19:28:29 schwarze Exp $ */ /* - * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons - * Copyright (c) 2010-2014 Ingo Schwarze + * Copyright (c) 2010, 2011, 2012, 2014 Kristaps Dzonsons + * Copyright (c) 2010-2015 Ingo Schwarze * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -1161,7 +1161,8 @@ roff_cond_sub(ROFF_ARGS) *ep = '&'; roff_ccond(r, ln, ep - buf->buf - 1); } - ++ep; + if (*ep != '\0') + ++ep; } return(rr ? ROFF_CONT : ROFF_IGN); } @@ -1181,7 +1182,8 @@ roff_cond_text(ROFF_ARGS) *ep = '&'; roff_ccond(r, ln, ep - buf->buf - 1); } - ++ep; + if (*ep != '\0') + ++ep; } return(rr ? ROFF_CONT : ROFF_IGN); } -- 2.20.1