diff options
| author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2022-04-13 20:19:20 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2022-04-13 20:19:20 +0000 |
| commit | f103a8be64783213f4419f7145b5ad93389b6f9b (patch) | |
| tree | 83d9f3430a1bd2f60d90f3ece509dfc60a2c9b3c /usr.bin/mandoc | |
| parent | a42ece57e3acde8b718e9e1fabe9c5de6bd84d88 (diff) | |
To prevent infinite recursion while expanding eqn(7) definitions,
we must not reset the recursion counter when moving beyond the end
of the *previous* expansion, but we may only do so when moving
beyond the rightmost position reached by *any* expansion in the
current equation. This matters because definitions can nest;
consider:
.EQ
define inner "content"
define outer "inner outer"
outer
.EN
This endless loop was found by tb@ using afl(1).
Incidentally, GNU eqn(1) also performs an infinite loop in this
situation and then crashes when memory runs out, but that's not an
excuse for nasty behaviour of mandoc(1).
While here, consistently print the expanded content even when the
expansion is finally truncated. While that is not likely to help
end-users, it may help authors of eqn(7) code to understand what's
going on. Besides, it sends a very clear signal that something is
amiss, which was easy to miss in the past unless people
enabled -W error or used -T lint.
Diffstat (limited to 'usr.bin/mandoc')
| -rw-r--r-- | usr.bin/mandoc/eqn.c | 26 | ||||
| -rw-r--r-- | usr.bin/mandoc/eqn_parse.h | 6 |
2 files changed, 19 insertions, 13 deletions
diff --git a/usr.bin/mandoc/eqn.c b/usr.bin/mandoc/eqn.c index ad3206770bb..51e7bdd55e6 100644 --- a/usr.bin/mandoc/eqn.c +++ b/usr.bin/mandoc/eqn.c @@ -1,7 +1,8 @@ -/* $OpenBSD: eqn.c,v 1.47 2020/01/08 12:09:14 schwarze Exp $ */ +/* $OpenBSD: eqn.c,v 1.48 2022/04/13 20:19:18 schwarze Exp $ */ /* + * Copyright (c) 2014, 2015, 2017, 2018, 2020, 2022 + * Ingo Schwarze <schwarze@openbsd.org> * Copyright (c) 2011, 2014 Kristaps Dzonsons <kristaps@bsd.lv> - * Copyright (c) 2014,2015,2017,2018,2020 Ingo Schwarze <schwarze@openbsd.org> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -373,19 +374,17 @@ eqn_def_find(struct eqn_node *ep) static enum eqn_tok eqn_next(struct eqn_node *ep, enum parse_mode mode) { - static int last_len, lim; - struct eqn_def *def; size_t start; - int diff, i, quoted; + int diff, i, newlen, quoted; enum eqn_tok tok; /* * Reset the recursion counter after advancing - * beyond the end of the previous substitution. + * beyond the end of the rightmost substitution. */ - if (ep->end - ep->data >= last_len) - lim = 0; + if (ep->end - ep->data >= ep->sublen) + ep->subcnt = 0; ep->start = ep->end; quoted = mode == MODE_QUOTED; @@ -432,10 +431,10 @@ eqn_next(struct eqn_node *ep, enum parse_mode mode) return EQN_TOK__MAX; if ((def = eqn_def_find(ep)) == NULL) break; - if (++lim > EQN_NEST_MAX) { + if (++ep->subcnt > EQN_NEST_MAX) { mandoc_msg(MANDOCERR_ROFFLOOP, ep->node->line, ep->node->pos, NULL); - return EQN_TOK_EOF; + break; } /* Replace a defined name with its string value. */ @@ -444,12 +443,15 @@ eqn_next(struct eqn_node *ep, enum parse_mode mode) ep->sz += diff; ep->data = mandoc_realloc(ep->data, ep->sz + 1); ep->start = ep->data + start; + ep->sublen += diff; } if (diff) memmove(ep->start + def->valsz, ep->start + ep->toksz, strlen(ep->start + ep->toksz) + 1); memcpy(ep->start, def->val, def->valsz); - last_len = ep->start - ep->data + def->valsz; + newlen = ep->start - ep->data + def->valsz; + if (ep->sublen < newlen) + ep->sublen = newlen; } if (mode != MODE_TOK) return quoted ? EQN_TOK_QUOTED : EQN_TOK__MAX; @@ -676,6 +678,8 @@ eqn_parse(struct eqn_node *ep) return; ep->start = ep->end = ep->data; + ep->sublen = 0; + ep->subcnt = 0; next_tok: tok = eqn_next(ep, MODE_TOK); diff --git a/usr.bin/mandoc/eqn_parse.h b/usr.bin/mandoc/eqn_parse.h index 0a8e61953b9..2033b5445b6 100644 --- a/usr.bin/mandoc/eqn_parse.h +++ b/usr.bin/mandoc/eqn_parse.h @@ -1,7 +1,7 @@ -/* $OpenBSD: eqn_parse.h,v 1.3 2018/12/14 06:33:03 schwarze Exp $ */ +/* $OpenBSD: eqn_parse.h,v 1.4 2022/04/13 20:19:18 schwarze Exp $ */ /* + * Copyright (c) 2014, 2017, 2018, 2022 Ingo Schwarze <schwarze@openbsd.org> * Copyright (c) 2011 Kristaps Dzonsons <kristaps@bsd.lv> - * Copyright (c) 2014, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -32,6 +32,8 @@ struct eqn_node { size_t defsz; /* Number of definitions. */ size_t sz; /* Length of the source code. */ size_t toksz; /* Length of the current token. */ + int sublen; /* End of rightmost substitution, so far. */ + int subcnt; /* Number of recursive substitutions. */ int gsize; /* Default point size. */ int delim; /* In-line delimiters enabled. */ char odelim; /* In-line opening delimiter. */ |