diff options
| author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2014-08-18 13:25:55 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2014-08-18 13:25:55 +0000 |
| commit | f7915a717e98cdd75db5500ddb6844c6dd7973d4 (patch) | |
| tree | b897ec0813b869519933aabd2ff4dc9f8d81a36d | |
| parent | 121f0060b4cd9fc2685f04911c9bc35d6778db4c (diff) | |
kristaps@ found this with valgrind, merge his patch from bsd.lv:
Fix a corner case where \H<nil> (where <nil> is the \0 character) would
cause mandoc_escape() to read past the end of an allocated string.
Found when a script scanning of all Mac OSX manuals accidentally also
scanned binary (gzip'd) files, discussed with schwarze@ on tech@mdocml.
| -rw-r--r-- | usr.bin/mandoc/mandoc.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.bin/mandoc/mandoc.c b/usr.bin/mandoc/mandoc.c index 8c057d687a1..cad209881cc 100644 --- a/usr.bin/mandoc/mandoc.c +++ b/usr.bin/mandoc/mandoc.c @@ -1,4 +1,4 @@ -/* $Id: mandoc.c,v 1.52 2014/07/06 19:08:56 schwarze Exp $ */ +/* $Id: mandoc.c,v 1.53 2014/08/18 13:25:54 schwarze Exp $ */ /* * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org> @@ -197,7 +197,8 @@ mandoc_escape(const char **end, const char **start, int *sz) /* FALLTHROUGH */ case 'x': if (strchr(" %&()*+-./0123456789:<=>", **start)) { - ++*end; + if ('\0' != **start) + ++*end; return(ESCAPE_ERROR); } gly = ESCAPE_IGNORE; |