diff options
author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2014-12-24 09:57:42 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2014-12-24 09:57:42 +0000 |
commit | e23ad4cbfe820630e0699a3c10fdc9455625a638 (patch) | |
tree | 1e8c8a7dbced8148f654974aabbe0a3ac5e913bc /usr.bin/mandoc/man_term.c | |
parent | 6af23152ce1f04b8823bc4f0fe5f7537bb8bcd09 (diff) |
When a man(7) document contains unreasonably large numbers for
indentations or paragraph distances, large output may be generated,
which is practically the same as an endless loop; found by jsg@
with afl.
Reject such unreasonably large numbers beyond arbitrary limits
similar to those used by groff (max. 65 blank lines between paragraphs
and max. SHRT_MAX characters per output line) and fall back to
defaults when exceeded. Having the limits behave in exactly the
same way is not relevant.
Diffstat (limited to 'usr.bin/mandoc/man_term.c')
-rw-r--r-- | usr.bin/mandoc/man_term.c | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/usr.bin/mandoc/man_term.c b/usr.bin/mandoc/man_term.c index 68324f294c3..314f8fd7325 100644 --- a/usr.bin/mandoc/man_term.c +++ b/usr.bin/mandoc/man_term.c @@ -1,4 +1,4 @@ -/* $OpenBSD: man_term.c,v 1.116 2014/12/23 13:48:15 schwarze Exp $ */ +/* $OpenBSD: man_term.c,v 1.117 2014/12/24 09:57:41 schwarze Exp $ */ /* * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org> @@ -19,6 +19,7 @@ #include <assert.h> #include <ctype.h> +#include <limits.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -430,6 +431,8 @@ pre_in(DECL_ARGS) p->offset += v; else p->offset = v; + if (p->offset > SHRT_MAX) + p->offset = term_len(p, p->defindent); return(0); } @@ -506,16 +509,16 @@ pre_HP(DECL_ARGS) if ((nn = n->parent->head->child) != NULL && a2roffsu(nn->string, &su, SCALE_EN)) { len = term_hspan(p, &su); + if (len < 0 && (size_t)(-len) > mt->offset) + len = -mt->offset; + else if (len > SHRT_MAX) + len = term_len(p, p->defindent); mt->lmargin[mt->lmargincur] = len; } else len = mt->lmargin[mt->lmargincur]; p->offset = mt->offset; - if (len > 0 || (size_t)(-len) < mt->offset) - p->rmargin = mt->offset + len; - else - p->rmargin = 0; - + p->rmargin = mt->offset + len; return(1); } @@ -580,9 +583,11 @@ pre_IP(DECL_ARGS) (nn = nn->next) != NULL && a2roffsu(nn->string, &su, SCALE_EN)) { len = term_hspan(p, &su); - mt->lmargin[mt->lmargincur] = len; if (len < 0 && (size_t)(-len) > mt->offset) len = -mt->offset; + else if (len > SHRT_MAX) + len = term_len(p, p->defindent); + mt->lmargin[mt->lmargincur] = len; } else len = mt->lmargin[mt->lmargincur]; @@ -660,9 +665,11 @@ pre_TP(DECL_ARGS) nn->string != NULL && ! (MAN_LINE & nn->flags) && a2roffsu(nn->string, &su, SCALE_EN)) { len = term_hspan(p, &su); - mt->lmargin[mt->lmargincur] = len; if (len < 0 && (size_t)(-len) > mt->offset) len = -mt->offset; + else if (len > SHRT_MAX) + len = term_len(p, p->defindent); + mt->lmargin[mt->lmargincur] = len; } else len = mt->lmargin[mt->lmargincur]; @@ -843,10 +850,11 @@ pre_RS(DECL_ARGS) break; } + len = SHRT_MAX + 1; if ((n = n->parent->head->child) != NULL && a2roffsu(n->string, &su, SCALE_EN)) len = term_hspan(p, &su); - else + if (len > SHRT_MAX) len = term_len(p, p->defindent); if (len > 0 || (size_t)(-len) < mt->offset) @@ -879,10 +887,11 @@ post_RS(DECL_ARGS) break; } + len = SHRT_MAX + 1; if ((n = n->parent->head->child) != NULL && a2roffsu(n->string, &su, SCALE_EN)) len = term_hspan(p, &su); - else + if (len > SHRT_MAX) len = term_len(p, p->defindent); if (len < 0 || (size_t)len < mt->offset) |