Fix a read buffer overrun triggered by trailing \s- or trailing \s+

without the required subsequent argument; found by jsg@ with afl.

5 files changed, 12 insertions, 8 deletions

diff --git a/regress/usr.bin/mandoc/roff/esc/Makefile b/regress/usr.bin/mandoc/roff/esc/Makefile
index 5327ae0077c..92db491a430 100644
--- a/regress/usr.bin/mandoc/roff/esc/Makefile
+++ b/regress/usr.bin/mandoc/roff/esc/Makefile
@@ -1,7 +1,7 @@
-# $OpenBSD: Makefile,v 1.8 2014/12/03 01:06:22 schwarze Exp $
+# $OpenBSD: Makefile,v 1.9 2015/01/01 18:10:09 schwarze Exp $
 
 REGRESS_TARGETS = one two multi B c c_man e f h w z ignore
-LINT_TARGETS	= B h w
+LINT_TARGETS	= B h w ignore
 
 # Postprocessing to remove "character backspace" sequences
 # unless they are followed by the same character again.
diff --git a/regress/usr.bin/mandoc/roff/esc/ignore.in b/regress/usr.bin/mandoc/roff/esc/ignore.in
index a7350b87cc1..4be7fb6c94a 100644
--- a/regress/usr.bin/mandoc/roff/esc/ignore.in
+++ b/regress/usr.bin/mandoc/roff/esc/ignore.in
@@ -1,4 +1,4 @@
-.Dd May 28, 2012
+.Dd January 1, 2015
 .Dt ESC-IGNORE 1
 .Os OpenBSD
 .Sh NAME
@@ -10,3 +10,5 @@ multiform: a\kxb\k(xyc\k[xyz]d
 quoted: a\R'myreg 0'b\R'myreg \A'y'0'c
 .br
 sizes: a\s0b\s(12c\s[123]d\s'123'e\s'1\w'xy'2'f
+.br
+signed sizes: a\s-0b\s-(12c\s-[123]d\s-'123'e\s-'1\w'xy'2'f\s-
diff --git a/regress/usr.bin/mandoc/roff/esc/ignore.out_ascii b/regress/usr.bin/mandoc/roff/esc/ignore.out_ascii
index f147aa396a8..5e41d49afa2 100644
--- a/regress/usr.bin/mandoc/roff/esc/ignore.out_ascii
+++ b/regress/usr.bin/mandoc/roff/esc/ignore.out_ascii
@@ -7,5 +7,6 @@ DDEESSCCRRIIPPTTIIOONN
      multiform: abcd
      quoted: abc
      sizes: abcdef
+     signed sizes: abcdef
 
-OpenBSD                          May 28, 2012                          OpenBSD
+OpenBSD                         January 1, 2015                        OpenBSD
diff --git a/regress/usr.bin/mandoc/roff/esc/ignore.out_lint b/regress/usr.bin/mandoc/roff/esc/ignore.out_lint
new file mode 100644
index 00000000000..c163d60d0de
--- /dev/null
+++ b/regress/usr.bin/mandoc/roff/esc/ignore.out_lint
@@ -0,0 +1 @@
+mandoc: ignore.in:14:60: WARNING: invalid escape sequence: \s-
diff --git a/usr.bin/mandoc/mandoc.c b/usr.bin/mandoc/mandoc.c
index 16c4f026ee5..362edb9a724 100644
--- a/usr.bin/mandoc/mandoc.c
+++ b/usr.bin/mandoc/mandoc.c
@@ -1,7 +1,7 @@
-/*	$OpenBSD: mandoc.c,v 1.57 2014/12/15 17:29:58 schwarze Exp $ */
+/*	$OpenBSD: mandoc.c,v 1.58 2015/01/01 18:10:09 schwarze Exp $ */
 /*
- * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2008-2011, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
+ * Copyright (c) 2011-2015 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -223,7 +223,7 @@ mandoc_escape(const char **end, const char **start, int *sz)
 
 		/* See +/- counts as a sign. */
 		if ('+' == **end || '-' == **end || ASCII_HYPH == **end)
-			(*end)++;
+			*start = ++*end;
 
 		switch (**end) {
 		case '(':