diff options
| author |   schwarze <schwarze@openbsd.org> | 2014-12-28 14:16:07 +0000 |
|---|---|---|
| committer | schwarze <schwarze@openbsd.org> | 2014-12-28 14:16:07 +0000 |
| commit | 953ff27a1a7b9355ecba5108dc5c7553aff5105b (patch) | |
| tree | 7b4f5ccdcce2fd83afa4e85128492689d0f1c5a5 | |
| parent | Add regression tests where OpenBSD syslogd is sending messages to (diff) | |
| download | wireguard-openbsd-953ff27a1a7b9355ecba5108dc5c7553aff5105b.tar.xz wireguard-openbsd-953ff27a1a7b9355ecba5108dc5c7553aff5105b.zip | |
improve previous: do the size check up front to avoid leaking memory
| -rw-r--r-- | usr.bin/mandoc/roff.c | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/usr.bin/mandoc/roff.c b/usr.bin/mandoc/roff.c index 7d6a02e7ba8..65b43948f6f 100644 --- a/usr.bin/mandoc/roff.c +++ b/usr.bin/mandoc/roff.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roff.c,v 1.117 2014/12/25 17:18:40 schwarze Exp $ */ +/* $OpenBSD: roff.c,v 1.118 2014/12/28 14:16:07 schwarze Exp $ */ /* * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org> @@ -649,6 +649,10 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos) r->parse, ln, (int)(stesc - buf->buf), "%.*s", (int)naml, stnam); res = ""; + } else if (buf->sz + strlen(res) > SHRT_MAX) { + mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, + ln, (int)(stesc - buf->buf), NULL); + return(ROFF_IGN); } /* Replace the escape sequence by the string. */ @@ -657,12 +661,6 @@ roff_res(struct roff *r, struct buf *buf, int ln, int pos) buf->sz = mandoc_asprintf(&nbuf, "%s%s%s", buf->buf, res, cp) + 1; - if (buf->sz > SHRT_MAX) { - mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, - ln, (int)(stesc - buf->buf), NULL); - return(ROFF_IGN); - } - /* Prepare for the next replacement. */ start = nbuf + pos; |