From 583f2f708eb980bf56e21300c8b146442523c787 Mon Sep 17 00:00:00 2001 From: schwarze Date: Tue, 16 Dec 2014 01:21:37 +0000 Subject: [PATCH] When a numerical condition errors out after consuming at least one character of input, treat it as false, do not retry it as a string comparison condition. This also fixes a read buffer overrun that happened when the numerical condition advanced to the end of the input line before erroring out, found by jsg@ with afl. --- regress/usr.bin/mandoc/roff/cond/numeric.in | 18 +++++++++++++++++- .../usr.bin/mandoc/roff/cond/numeric.out_ascii | 6 +++++- usr.bin/mandoc/roff.c | 9 ++++++--- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/regress/usr.bin/mandoc/roff/cond/numeric.in b/regress/usr.bin/mandoc/roff/cond/numeric.in index ab154d61575..d28fcb9e8a2 100644 --- a/regress/usr.bin/mandoc/roff/cond/numeric.in +++ b/regress/usr.bin/mandoc/roff/cond/numeric.in @@ -1,4 +1,4 @@ -.TH COND-NUMERIC 1 "April 7, 2014" OpenBSD +.TH COND-NUMERIC 1 "December 16, 2014" OpenBSD .SH NAME cond-numeric \- roff conditions involving numbers .SH DESCRIPTION @@ -126,3 +126,19 @@ operator ":": 11 .ie 1:1 (t) .el (f) +.PP +unmatched parenthesis: +.ie ( +(t) +.el (f) +one +.ie (1 (t) +.el (f) +.PP +negated unmatched parenthesis: +.ie !( +(t) +.el (f) +zero +.ie !(0 (t) +.el (f) diff --git a/regress/usr.bin/mandoc/roff/cond/numeric.out_ascii b/regress/usr.bin/mandoc/roff/cond/numeric.out_ascii index 9947c53757b..b8155caafc9 100644 --- a/regress/usr.bin/mandoc/roff/cond/numeric.out_ascii +++ b/regress/usr.bin/mandoc/roff/cond/numeric.out_ascii @@ -30,6 +30,10 @@ DDEESSCCRRIIPPTTIIOONN operator ":": 00 (f) 01 (t) 10 (t) 11 (t) + unmatched parenthesis: (f) one (t) + negated unmatched parenthesis: (f) zero (t) -OpenBSD April 7, 2014 COND-NUMERIC(1) + + +OpenBSD December 16, 2014 COND-NUMERIC(1) diff --git a/usr.bin/mandoc/roff.c b/usr.bin/mandoc/roff.c index d4d923c965d..e7d9795cde0 100644 --- a/usr.bin/mandoc/roff.c +++ b/usr.bin/mandoc/roff.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roff.c,v 1.112 2014/12/15 23:42:31 schwarze Exp $ */ +/* $OpenBSD: roff.c,v 1.113 2014/12/16 01:21:37 schwarze Exp $ */ /* * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons * Copyright (c) 2010-2014 Ingo Schwarze @@ -1247,7 +1247,7 @@ out: static int roff_evalcond(struct roff *r, int ln, const char *v, int *pos) { - int wanttrue, number; + int number, savepos, wanttrue; if ('!' == v[*pos]) { wanttrue = 0; @@ -1280,10 +1280,13 @@ roff_evalcond(struct roff *r, int ln, const char *v, int *pos) break; } + savepos = *pos; if (roff_evalnum(r, ln, v, pos, &number, 0)) return((number > 0) == wanttrue); - else + else if (*pos == savepos) return(roff_evalstrcond(v, pos) == wanttrue); + else + return (0); } static enum rofferr -- 2.20.1