From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from localhost (fantadrom.bsd.lv [local]); by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id 1a9c882c; for ; Wed, 24 Dec 2014 04:59:05 -0500 (EST) Date: Wed, 24 Dec 2014 04:59:05 -0500 (EST) Message-Id: <13157142330515433674.enqueue@fantadrom.bsd.lv> X-Mailinglist: mdocml-source Reply-To: source@mdocml.bsd.lv MIME-Version: 1.0 From: schwarze@mdocml.bsd.lv To: source@mdocml.bsd.lv Subject: mdocml: When a man(7) document contains unreasonably large numbers for X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Log Message: ----------- When a man(7) document contains unreasonably large numbers for indentations or paragraph distances, large output may be generated, which is practically the same as an endless loop; found by jsg@ with afl. Reject such unreasonably large numbers beyond arbitrary limits similar to those used by groff (max. 65 blank lines between paragraphs and max. SHRT_MAX characters per output line) and fall back to defaults when exceeded. Having the limits behave in exactly the same way is not relevant. Modified Files: -------------- mdocml: man_term.c term.c Revision Data ------------- Index: term.c =================================================================== RCS file: /home/cvs/mdocml/mdocml/term.c,v retrieving revision 1.240 retrieving revision 1.241 diff -Lterm.c -Lterm.c -u -p -r1.240 -r1.241 --- term.c +++ term.c @@ -773,6 +773,7 @@ int term_vspan(const struct termp *p, const struct roffsu *su) { double r; + int ri; switch (su->unit) { case SCALE_BU: @@ -808,7 +809,8 @@ term_vspan(const struct termp *p, const abort(); /* NOTREACHED */ } - return(r > 0.0 ? r + 0.4995 : r - 0.4995); + ri = r > 0.0 ? r + 0.4995 : r - 0.4995; + return(ri < 66 ? ri : 1); } int Index: man_term.c =================================================================== RCS file: /home/cvs/mdocml/mdocml/man_term.c,v retrieving revision 1.163 retrieving revision 1.164 diff -Lman_term.c -Lman_term.c -u -p -r1.163 -r1.164 --- man_term.c +++ man_term.c @@ -21,6 +21,7 @@ #include #include +#include #include #include #include @@ -432,6 +433,8 @@ pre_in(DECL_ARGS) p->offset += v; else p->offset = v; + if (p->offset > SHRT_MAX) + p->offset = term_len(p, p->defindent); return(0); } @@ -508,16 +511,16 @@ pre_HP(DECL_ARGS) if ((nn = n->parent->head->child) != NULL && a2roffsu(nn->string, &su, SCALE_EN)) { len = term_hspan(p, &su); + if (len < 0 && (size_t)(-len) > mt->offset) + len = -mt->offset; + else if (len > SHRT_MAX) + len = term_len(p, p->defindent); mt->lmargin[mt->lmargincur] = len; } else len = mt->lmargin[mt->lmargincur]; p->offset = mt->offset; - if (len > 0 || (size_t)(-len) < mt->offset) - p->rmargin = mt->offset + len; - else - p->rmargin = 0; - + p->rmargin = mt->offset + len; return(1); } @@ -582,9 +585,11 @@ pre_IP(DECL_ARGS) (nn = nn->next) != NULL && a2roffsu(nn->string, &su, SCALE_EN)) { len = term_hspan(p, &su); - mt->lmargin[mt->lmargincur] = len; if (len < 0 && (size_t)(-len) > mt->offset) len = -mt->offset; + else if (len > SHRT_MAX) + len = term_len(p, p->defindent); + mt->lmargin[mt->lmargincur] = len; } else len = mt->lmargin[mt->lmargincur]; @@ -662,9 +667,11 @@ pre_TP(DECL_ARGS) nn->string != NULL && ! (MAN_LINE & nn->flags) && a2roffsu(nn->string, &su, SCALE_EN)) { len = term_hspan(p, &su); - mt->lmargin[mt->lmargincur] = len; if (len < 0 && (size_t)(-len) > mt->offset) len = -mt->offset; + else if (len > SHRT_MAX) + len = term_len(p, p->defindent); + mt->lmargin[mt->lmargincur] = len; } else len = mt->lmargin[mt->lmargincur]; @@ -845,10 +852,11 @@ pre_RS(DECL_ARGS) break; } + len = SHRT_MAX + 1; if ((n = n->parent->head->child) != NULL && a2roffsu(n->string, &su, SCALE_EN)) len = term_hspan(p, &su); - else + if (len > SHRT_MAX) len = term_len(p, p->defindent); if (len > 0 || (size_t)(-len) < mt->offset) @@ -881,10 +889,11 @@ post_RS(DECL_ARGS) break; } + len = SHRT_MAX + 1; if ((n = n->parent->head->child) != NULL && a2roffsu(n->string, &su, SCALE_EN)) len = term_hspan(p, &su); - else + if (len > SHRT_MAX) len = term_len(p, p->defindent); if (len < 0 || (size_t)len < mt->offset) -- To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv