mandoc: Fix an out of bounds read access to a constant array that caused

source@mandoc.bsd.lv
 help / color / mirror / Atom feed

* mandoc: Fix an out of bounds read access to a constant array that caused
@ 2017-07-31 15:19 schwarze
  0 siblings, 0 replies; only message in thread
From: schwarze @ 2017-07-31 15:19 UTC (permalink / raw)
  To: source

Log Message:
-----------
Fix an out of bounds read access to a constant array that caused 
segfaults on certain hardened versions of glibc.  Triggered by .sp
or blank lines right before .SS or .SH, or before the first .Sh.
Found the hard way by Dr. Markus Waldner on Debian 
and by Leah Neukirchen on Void Linux.

Modified Files:
--------------
    mandoc:
        man_term.c
        mdoc_validate.c

Revision Data
-------------
Index: mdoc_validate.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/mdoc_validate.c,v
retrieving revision 1.350
retrieving revision 1.351
diff -Lmdoc_validate.c -Lmdoc_validate.c -u -p -r1.350 -r1.351
--- mdoc_validate.c
+++ mdoc_validate.c
@@ -1931,7 +1931,7 @@ post_root(POST_ARGS)
 	/* Check that we begin with a proper `Sh'. */
 
 	n = mdoc->first->child;
-	while (n != NULL && n->tok != TOKEN_NONE &&
+	while (n != NULL && n->tok >= MDOC_Dd &&
 	    mdoc_macros[n->tok].flags & MDOC_PROLOGUE)
 		n = n->next;
 
Index: man_term.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/man_term.c,v
retrieving revision 1.208
retrieving revision 1.209
diff -Lman_term.c -Lman_term.c -u -p -r1.208 -r1.209
--- man_term.c
+++ man_term.c
@@ -673,7 +673,7 @@ pre_SS(DECL_ARGS)
 
 		do {
 			n = n->prev;
-		} while (n != NULL && n->tok != TOKEN_NONE &&
+		} while (n != NULL && n->tok >= MAN_TH &&
 		    termacts[n->tok].flags & MAN_NOTEXT);
 		if (n == NULL || (n->tok == MAN_SS && n->body->child == NULL))
 			break;
@@ -735,7 +735,7 @@ pre_SH(DECL_ARGS)
 
 		do {
 			n = n->prev;
-		} while (n != NULL && n->tok != TOKEN_NONE &&
+		} while (n != NULL && n->tok >= MAN_TH &&
 		    termacts[n->tok].flags & MAN_NOTEXT);
 		if (n == NULL || (n->tok == MAN_SH && n->body->child == NULL))
 			break;
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-07-31 15:19 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-31 15:19 mandoc: Fix an out of bounds read access to a constant array that caused schwarze

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).