summaryrefslogtreecommitdiff
path: root/lib/libssl/dtls1.h
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@cvs.openbsd.org>2022-04-23 13:58:10 +0000
committerIngo Schwarze <schwarze@cvs.openbsd.org>2022-04-23 13:58:10 +0000
commit31c114f16c4d515529b1ba9a039f257a7c7ac139 (patch)
treef46562440372553b20e59e0ca1d29b25b683da54 /lib/libssl/dtls1.h
parent61e697b9f27beeed025e086558ed79ad05fae595 (diff)
If the last data row of a tbl(7) contains nothing but a horizontal line,
do not skip closing the table and cleaning up memory at the end of the table in the HTML output module. This bug resulted in skipping the tblcalc() function and reusing the existing roffcol array for the next tbl(7) processed. If the next table had more columns than the one ending with a horizontal line in the last data row, uninitialized memory was read, potentially resulting in near-infinite output. The bug was introduced in rev. 1.24 (2018/11/26) but only fully exposed by rev. 1.33 (2021/09/09). Until rev. 1.32, it could only cause misformatting and invalid HTML output syntax but not huge output because up to that point, the function did not use the roffcol array. Nasty bug found the hard way by Michael Stapelberg on the production server manpages.debian.org. Michael also supplied example files and excellent instructions how to reproduce the bug, which was very difficult because no real-world manual page is known that triggers the bug by itself, so to reproduce the bug, mandoc(1) had to be invoked with at least two file name arguments.
Diffstat (limited to 'lib/libssl/dtls1.h')
0 files changed, 0 insertions, 0 deletions