Ignore explicitly specified negative column widths rather than

wrapping around to huge numbers and risking memory exhaustion;
fixes Debian ps(1).  Bug reported by Dr. Markus Waldeck.

2 files changed, 9 insertions, 3 deletions

diff --git a/usr.bin/mandoc/tbl_html.c b/usr.bin/mandoc/tbl_html.c
index b753fbabfa5..0d2582f1c1b 100644
--- a/usr.bin/mandoc/tbl_html.c
+++ b/usr.bin/mandoc/tbl_html.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tbl_html.c,v 1.17 2017/06/12 20:14:03 schwarze Exp $ */
+/*	$OpenBSD: tbl_html.c,v 1.18 2017/07/31 16:14:04 schwarze Exp $ */
 /*
  * Copyright (c) 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014, 2015, 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -47,6 +47,9 @@ html_tbl_strlen(const char *p, void *arg)
 static size_t
 html_tbl_sulen(const struct roffsu *su, void *arg)
 {
+	if (su->scale < 0.0)
+		return 0;
+
 	switch (su->unit) {
 	case SCALE_FS:  /* 2^16 basic units */
 		return su->scale * 65536.0 / 24.0;
diff --git a/usr.bin/mandoc/tbl_term.c b/usr.bin/mandoc/tbl_term.c
index f70795895b9..7dce33652e5 100644
--- a/usr.bin/mandoc/tbl_term.c
+++ b/usr.bin/mandoc/tbl_term.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tbl_term.c,v 1.44 2017/07/08 13:43:09 schwarze Exp $ */
+/*	$OpenBSD: tbl_term.c,v 1.45 2017/07/31 16:14:04 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011,2012,2014,2015,2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -49,7 +49,10 @@ static	void	tbl_word(struct termp *, const struct tbl_dat *);
 static size_t
 term_tbl_sulen(const struct roffsu *su, void *arg)
 {
-	return term_hen((const struct termp *)arg, su);
+	int	 i;
+
+	i = term_hen((const struct termp *)arg, su);
+	return i > 0 ? i : 0;
 }
 
 static size_t