source@mandoc.bsd.lv
 help / color / mirror / Atom feed
From: schwarze@mdocml.bsd.lv
To: source@mdocml.bsd.lv
Subject: mdocml: When a string comparison condition contains no mismatching
Date: Mon, 15 Dec 2014 22:53:43 -0500 (EST)	[thread overview]
Message-ID: <11636415535390227872.enqueue@fantadrom.bsd.lv> (raw)

Log Message:
-----------
When a string comparison condition contains no mismatching character
but ends without the final delimiter, the parse point was advanced 
one character too far and the invalid pointer returned to the 
caller of roff_parseln().  Later use could potentially advance 
the pointer even further and maybe even write to it.
Fixing a buffer overrun found by jsg@ with afl (the most severe so far).

Modified Files:
--------------
    mdocml:
        roff.c

Revision Data
-------------
Index: roff.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/roff.c,v
retrieving revision 1.241
retrieving revision 1.242
diff -Lroff.c -Lroff.c -u -p -r1.241 -r1.242
--- roff.c
+++ roff.c
@@ -1236,7 +1236,7 @@ roff_evalstrcond(const char *v, int *pos
 out:
 	if (NULL == s3)
 		s3 = strchr(s2, '\0');
-	else
+	else if (*s3 != '\0')
 		s3++;
 	*pos = s3 - v;
 	return(match);
--
 To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv

                 reply	other threads:[~2014-12-16  3:53 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=11636415535390227872.enqueue@fantadrom.bsd.lv \
    --to=schwarze@mdocml.bsd.lv \
    --cc=source@mdocml.bsd.lv \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).