mdocml: When a man(7) document contains unreasonably large numbers for

mdocml: When a man(7) document contains unreasonably large numbers for

[schwarze]

Log Message:
-----------
When a man(7) document contains unreasonably large numbers for
indentations or paragraph distances, large output may be generated,
which is practically the same as an endless loop; found by jsg@ 
with afl.
Reject such unreasonably large numbers beyond arbitrary limits
similar to those used by groff (max. 65 blank lines between paragraphs
and max. SHRT_MAX characters per output line) and fall back to 
defaults when exceeded.  Having the limits behave in exactly the
same way is not relevant.

Modified Files:
--------------
    mdocml:
        man_term.c
        term.c

Revision Data
-------------
Index: term.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/term.c,v
retrieving revision 1.240
retrieving revision 1.241
diff -Lterm.c -Lterm.c -u -p -r1.240 -r1.241
--- term.c
+++ term.c
@@ -773,6 +773,7 @@ int
 term_vspan(const struct termp *p, const struct roffsu *su)
 {
 	double		 r;
+	int		 ri;
 
 	switch (su->unit) {
 	case SCALE_BU:
@@ -808,7 +809,8 @@ term_vspan(const struct termp *p, const 
 		abort();
 		/* NOTREACHED */
 	}
-	return(r > 0.0 ? r + 0.4995 : r - 0.4995);
+	ri = r > 0.0 ? r + 0.4995 : r - 0.4995;
+	return(ri < 66 ? ri : 1);
 }
 
 int
Index: man_term.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/man_term.c,v
retrieving revision 1.163
retrieving revision 1.164
diff -Lman_term.c -Lman_term.c -u -p -r1.163 -r1.164
--- man_term.c
+++ man_term.c
@@ -21,6 +21,7 @@
 
 #include <assert.h>
 #include <ctype.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -432,6 +433,8 @@ pre_in(DECL_ARGS)
 		p->offset += v;
 	else
 		p->offset = v;
+	if (p->offset > SHRT_MAX)
+		p->offset = term_len(p, p->defindent);
 
 	return(0);
 }
@@ -508,16 +511,16 @@ pre_HP(DECL_ARGS)
 	if ((nn = n->parent->head->child) != NULL &&
 	    a2roffsu(nn->string, &su, SCALE_EN)) {
 		len = term_hspan(p, &su);
+		if (len < 0 && (size_t)(-len) > mt->offset)
+			len = -mt->offset;
+		else if (len > SHRT_MAX)
+			len = term_len(p, p->defindent);
 		mt->lmargin[mt->lmargincur] = len;
 	} else
 		len = mt->lmargin[mt->lmargincur];
 
 	p->offset = mt->offset;
-	if (len > 0 || (size_t)(-len) < mt->offset)
-		p->rmargin = mt->offset + len;
-	else
-		p->rmargin = 0;
-
+	p->rmargin = mt->offset + len;
 	return(1);
 }
 
@@ -582,9 +585,11 @@ pre_IP(DECL_ARGS)
 	    (nn = nn->next) != NULL &&
 	    a2roffsu(nn->string, &su, SCALE_EN)) {
 		len = term_hspan(p, &su);
-		mt->lmargin[mt->lmargincur] = len;
 		if (len < 0 && (size_t)(-len) > mt->offset)
 			len = -mt->offset;
+		else if (len > SHRT_MAX)
+			len = term_len(p, p->defindent);
+		mt->lmargin[mt->lmargincur] = len;
 	} else
 		len = mt->lmargin[mt->lmargincur];
 
@@ -662,9 +667,11 @@ pre_TP(DECL_ARGS)
 	    nn->string != NULL && ! (MAN_LINE & nn->flags) &&
 	    a2roffsu(nn->string, &su, SCALE_EN)) {
 		len = term_hspan(p, &su);
-		mt->lmargin[mt->lmargincur] = len;
 		if (len < 0 && (size_t)(-len) > mt->offset)
 			len = -mt->offset;
+		else if (len > SHRT_MAX)
+			len = term_len(p, p->defindent);
+		mt->lmargin[mt->lmargincur] = len;
 	} else
 		len = mt->lmargin[mt->lmargincur];
 
@@ -845,10 +852,11 @@ pre_RS(DECL_ARGS)
 		break;
 	}
 
+	len = SHRT_MAX + 1;
 	if ((n = n->parent->head->child) != NULL &&
 	    a2roffsu(n->string, &su, SCALE_EN))
 		len = term_hspan(p, &su);
-	else
+	if (len > SHRT_MAX)
 		len = term_len(p, p->defindent);
 
 	if (len > 0 || (size_t)(-len) < mt->offset)
@@ -881,10 +889,11 @@ post_RS(DECL_ARGS)
 		break;
 	}
 
+	len = SHRT_MAX + 1;
 	if ((n = n->parent->head->child) != NULL &&
 	    a2roffsu(n->string, &su, SCALE_EN))
 		len = term_hspan(p, &su);
-	else
+	if (len > SHRT_MAX)
 		len = term_len(p, p->defindent);
 
 	if (len < 0 || (size_t)len < mt->offset)
--
 To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv