From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from localhost (fantadrom.bsd.lv [local])
	by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id bacf62df
	for <source@mandoc.bsd.lv>;
	Mon, 31 Jul 2017 10:19:36 -0500 (EST)
Date: Mon, 31 Jul 2017 10:19:36 -0500 (EST)
Message-Id: <10755769236089887794.enqueue@fantadrom.bsd.lv>
X-Mailinglist: mandoc-source
Reply-To: source@mandoc.bsd.lv
MIME-Version: 1.0
From: schwarze@mandoc.bsd.lv
To: source@mandoc.bsd.lv
Subject: mandoc: Fix an out of bounds read access to a constant array that caused  
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8

Log Message:
-----------
Fix an out of bounds read access to a constant array that caused 
segfaults on certain hardened versions of glibc.  Triggered by .sp
or blank lines right before .SS or .SH, or before the first .Sh.
Found the hard way by Dr. Markus Waldner on Debian 
and by Leah Neukirchen on Void Linux.

Modified Files:
--------------
    mandoc:
        man_term.c
        mdoc_validate.c

Revision Data
-------------
Index: mdoc_validate.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/mdoc_validate.c,v
retrieving revision 1.350
retrieving revision 1.351
diff -Lmdoc_validate.c -Lmdoc_validate.c -u -p -r1.350 -r1.351
--- mdoc_validate.c
+++ mdoc_validate.c
@@ -1931,7 +1931,7 @@ post_root(POST_ARGS)
 	/* Check that we begin with a proper `Sh'. */
 
 	n = mdoc->first->child;
-	while (n != NULL && n->tok != TOKEN_NONE &&
+	while (n != NULL && n->tok >= MDOC_Dd &&
 	    mdoc_macros[n->tok].flags & MDOC_PROLOGUE)
 		n = n->next;
 
Index: man_term.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/man_term.c,v
retrieving revision 1.208
retrieving revision 1.209
diff -Lman_term.c -Lman_term.c -u -p -r1.208 -r1.209
--- man_term.c
+++ man_term.c
@@ -673,7 +673,7 @@ pre_SS(DECL_ARGS)
 
 		do {
 			n = n->prev;
-		} while (n != NULL && n->tok != TOKEN_NONE &&
+		} while (n != NULL && n->tok >= MAN_TH &&
 		    termacts[n->tok].flags & MAN_NOTEXT);
 		if (n == NULL || (n->tok == MAN_SS && n->body->child == NULL))
 			break;
@@ -735,7 +735,7 @@ pre_SH(DECL_ARGS)
 
 		do {
 			n = n->prev;
-		} while (n != NULL && n->tok != TOKEN_NONE &&
+		} while (n != NULL && n->tok >= MAN_TH &&
 		    termacts[n->tok].flags & MAN_NOTEXT);
 		if (n == NULL || (n->tok == MAN_SH && n->body->child == NULL))
 			break;
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv