When a string comparison condition contains no mismatching character

but ends without the final delimiter, the parse point was advanced one character too far and the invalid pointer returned to the caller of roff_parseln(). Later use could potentially advance the pointer even further and maybe even write to it. Fixing a buffer overrun found by jsg@ with afl (the most severe so far).
author: schwarze <schwarze@openbsd.org> 2014-12-16 03:52:31 +0000
committer: schwarze <schwarze@openbsd.org> 2014-12-16 03:52:31 +0000
commit: 9711162830eab185efbe036d20fa0a0add71b4e8 (patch)
tree: 387a515fa35036e5dc1d51e9da069413a7548111
parent: Replace setpgrp(0, getpid()) with setpgid(0, 0). OK deraadt@ tedu@ (diff)
download: wireguard-openbsd-9711162830eab185efbe036d20fa0a0add71b4e8.tar.xz
wireguard-openbsd-9711162830eab185efbe036d20fa0a0add71b4e8.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.bin/mandoc/roff.c b/usr.bin/mandoc/roff.c
index e7d9795cde0..9f85d50e756 100644
--- a/usr.bin/mandoc/roff.c
+++ b/usr.bin/mandoc/roff.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: roff.c,v 1.113 2014/12/16 01:21:37 schwarze Exp $ */
+/*	$OpenBSD: roff.c,v 1.114 2014/12/16 03:52:31 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -1234,7 +1234,7 @@ roff_evalstrcond(const char *v, int *pos)
 out:
 	if (NULL == s3)
 		s3 = strchr(s2, '\0');
-	else
+	else if (*s3 != '\0')
 		s3++;
 	*pos = s3 - v;
 	return(match);
author	schwarze <schwarze@openbsd.org>	2014-12-16 03:52:31 +0000
committer	schwarze <schwarze@openbsd.org>	2014-12-16 03:52:31 +0000
commit	9711162830eab185efbe036d20fa0a0add71b4e8 (patch)
tree	387a515fa35036e5dc1d51e9da069413a7548111
parent	Replace setpgrp(0, getpid()) with setpgid(0, 0). OK deraadt@ tedu@ (diff)
download	wireguard-openbsd-9711162830eab185efbe036d20fa0a0add71b4e8.tar.xz wireguard-openbsd-9711162830eab185efbe036d20fa0a0add71b4e8.zip