From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from localhost (fantadrom.bsd.lv [local])
	by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id 987e6a65
	for <source@mdocml.bsd.lv>;
	Thu, 9 Mar 2017 10:30:05 -0500 (EST)
Date: Thu, 9 Mar 2017 10:30:05 -0500 (EST)
Message-Id: <14985145889297943920.enqueue@fantadrom.bsd.lv>
X-Mailinglist: mdocml-source
Reply-To: source@mdocml.bsd.lv
MIME-Version: 1.0
From: schwarze@mdocml.bsd.lv
To: source@mdocml.bsd.lv
Subject: mdocml: Fix blunder in previous:  we must keep the line parse buffer  
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8

Log Message:
-----------
Fix blunder in previous:  we must keep the line parse buffer 
consistent even when aborting the parsing of the line.  That buffer
is not our own, but owned and reused by mparse_buf_r(), read.c.
Returning without cleanup leaked memory and caused write overruns 
of the old, typically much smaller buffer in mparse_buf_r().
Promptly noticed by tb@ with afl(1), using MALLOC_OPTIONS=C.

Modified Files:
--------------
    mdocml:
        roff.c

Revision Data
-------------
Index: roff.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/roff.c,v
retrieving revision 1.292
retrieving revision 1.293
diff -Lroff.c -Lroff.c -u -p -r1.292 -r1.293
--- roff.c
+++ roff.c
@@ -3092,6 +3092,8 @@ roff_userdef(ROFF_ARGS)
 		else if (++expand_count > EXPAND_LIMIT) {
 			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
 			    ln, (int)(cp - n1), NULL);
+			free(buf->buf);
+			buf->buf = n1;
 			return ROFF_IGN;
 		}
 
--
 To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv