Fix an out of bounds read access to a constant array that caused

segfaults on certain hardened versions of glibc.  Triggered by .sp
or blank lines right before .SS or .SH, or before the first .Sh.
Found the hard way by Dr. Markus Waldner on Debian
and by Leah Neukirchen on Void Linux.

1 files changed, 3 insertions, 3 deletions

diff --git a/usr.bin/mandoc/man_term.c b/usr.bin/mandoc/man_term.c
index 0bd7770395b..6fd2368e13c 100644
--- a/usr.bin/mandoc/man_term.c
+++ b/usr.bin/mandoc/man_term.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: man_term.c,v 1.161 2017/06/25 07:23:53 bentley Exp $ */
+/*	$OpenBSD: man_term.c,v 1.162 2017/07/31 15:18:59 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2015, 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -671,7 +671,7 @@ pre_SS(DECL_ARGS)
 
 		do {
 			n = n->prev;
-		} while (n != NULL && n->tok != TOKEN_NONE &&
+		} while (n != NULL && n->tok >= MAN_TH &&
 		    termacts[n->tok].flags & MAN_NOTEXT);
 		if (n == NULL || (n->tok == MAN_SS && n->body->child == NULL))
 			break;
@@ -733,7 +733,7 @@ pre_SH(DECL_ARGS)
 
 		do {
 			n = n->prev;
-		} while (n != NULL && n->tok != TOKEN_NONE &&
+		} while (n != NULL && n->tok >= MAN_TH &&
 		    termacts[n->tok].flags & MAN_NOTEXT);
 		if (n == NULL || (n->tok == MAN_SH && n->body->child == NULL))
 			break;