diff options
author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2022-04-23 13:58:10 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2022-04-23 13:58:10 +0000 |
commit | 31c114f16c4d515529b1ba9a039f257a7c7ac139 (patch) | |
tree | f46562440372553b20e59e0ca1d29b25b683da54 /lib/libssl/dtls1.h | |
parent | 61e697b9f27beeed025e086558ed79ad05fae595 (diff) |
If the last data row of a tbl(7) contains nothing but a horizontal line,
do not skip closing the table and cleaning up memory at the end of the
table in the HTML output module.
This bug resulted in skipping the tblcalc() function and reusing
the existing roffcol array for the next tbl(7) processed. If the
next table had more columns than the one ending with a horizontal
line in the last data row, uninitialized memory was read, potentially
resulting in near-infinite output.
The bug was introduced in rev. 1.24 (2018/11/26) but only fully exposed
by rev. 1.33 (2021/09/09). Until rev. 1.32, it could only cause
misformatting and invalid HTML output syntax but not huge output
because up to that point, the function did not use the roffcol array.
Nasty bug found the hard way by Michael Stapelberg on the production
server manpages.debian.org. Michael also supplied example files
and excellent instructions how to reproduce the bug, which was very
difficult because no real-world manual page is known that triggers
the bug by itself, so to reproduce the bug, mandoc(1) had to be
invoked with at least two file name arguments.
Diffstat (limited to 'lib/libssl/dtls1.h')
0 files changed, 0 insertions, 0 deletions