diff options
| author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2017-03-09 15:27:53 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2017-03-09 15:27:53 +0000 |
| commit | 4d37d1aaded8720cb9289c296a9ca845bd000f2d (patch) | |
| tree | 0da60d70172fd1625030984b8c5fef2842369651 | |
| parent | 6c017ea092c3b022cfda95166bb72e9d379eb3ed (diff) | |
Fix blunder in previous: we must keep the line parse buffer
consistent even when aborting the parsing of the line. That buffer
is not our own, but owned and reused by mparse_buf_r(), read.c.
Returning without cleanup leaked memory and caused write overruns
of the old, typically much smaller buffer in mparse_buf_r().
Promptly noticed by tb@ with afl(1), using MALLOC_OPTIONS=C.
| -rw-r--r-- | usr.bin/mandoc/roff.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.bin/mandoc/roff.c b/usr.bin/mandoc/roff.c index eebc31cdd7d..3d2ae913977 100644 --- a/usr.bin/mandoc/roff.c +++ b/usr.bin/mandoc/roff.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roff.c,v 1.164 2017/03/08 13:17:28 schwarze Exp $ */ +/* $OpenBSD: roff.c,v 1.165 2017/03/09 15:27:52 schwarze Exp $ */ /* * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2015, 2017 Ingo Schwarze <schwarze@openbsd.org> @@ -3090,6 +3090,8 @@ roff_userdef(ROFF_ARGS) else if (++expand_count > EXPAND_LIMIT) { mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, ln, (int)(cp - n1), NULL); + free(buf->buf); + buf->buf = n1; return ROFF_IGN; } |