After rewriting the parse buffer from scratch, we also have to reset

the parse point to the beginning of the new buffer or we risk out
of bounds accesses.  Bug found by Leah Neukirchen <leah at vuxu dot
org> with valgrind on Void Linux.

1 files changed, 4 insertions, 1 deletions

diff --git a/usr.bin/mandoc/roff.c b/usr.bin/mandoc/roff.c
index e0b5ed67f46..2e4e9c11757 100644
--- a/usr.bin/mandoc/roff.c
+++ b/usr.bin/mandoc/roff.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: roff.c,v 1.200 2018/04/11 17:10:35 schwarze Exp $ */
+/*	$OpenBSD: roff.c,v 1.201 2018/08/01 15:39:47 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2015, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org>
@@ -2843,6 +2843,7 @@ roff_TE(ROFF_ARGS)
 		free(buf->buf);
 		buf->buf = mandoc_strdup(".sp");
 		buf->sz = 4;
+		*offs = 0;
 		return ROFF_REPARSE;
 	}
 	r->tbl = NULL;
@@ -3362,6 +3363,7 @@ roff_userdef(ROFF_ARGS)
 			    ln, (int)(cp - n1), NULL);
 			free(buf->buf);
 			buf->buf = n1;
+			*offs = 0;
 			return ROFF_IGN;
 		}
 
@@ -3456,6 +3458,7 @@ roff_renamed(ROFF_ARGS)
 	    buf->buf[pos] == '\0' ? "" : " ", buf->buf + pos) + 1;
 	free(buf->buf);
 	buf->buf = nbuf;
+	*offs = 0;
 	return ROFF_CONT;
 }