* mdocml: prevent infinite recursion while expanding the arguments of a
@ 2017-03-08 13:18 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2017-03-08 13:18 UTC (permalink / raw)
To: source
Log Message:
-----------
prevent infinite recursion while expanding the arguments
of a user-defined macro; issue found by tb@ with afl(1)
Modified Files:
--------------
mdocml:
roff.c
mdocml/regress/roff/de:
infinite.in
infinite.out_ascii
infinite.out_lint
Revision Data
-------------
Index: roff.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/roff.c,v
retrieving revision 1.291
retrieving revision 1.292
diff -Lroff.c -Lroff.c -u -p -r1.291 -r1.292
--- roff.c
+++ roff.c
@@ -3038,7 +3038,7 @@ roff_userdef(ROFF_ARGS)
{
const char *arg[9], *ap;
char *cp, *n1, *n2;
- int i, ib, ie;
+ int expand_count, i, ib, ie;
size_t asz, rsz;
/*
@@ -3062,8 +3062,9 @@ roff_userdef(ROFF_ARGS)
*/
buf->sz = strlen(r->current_string) + 1;
- n1 = cp = mandoc_malloc(buf->sz);
+ n1 = n2 = cp = mandoc_malloc(buf->sz);
memcpy(n1, r->current_string, buf->sz);
+ expand_count = 0;
while (*cp != '\0') {
/* Scan ahead for the next argument invocation. */
@@ -3081,6 +3082,18 @@ roff_userdef(ROFF_ARGS)
continue;
}
cp -= 2;
+
+ /*
+ * Prevent infinite recursion.
+ */
+
+ if (cp >= n2)
+ expand_count = 1;
+ else if (++expand_count > EXPAND_LIMIT) {
+ mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+ ln, (int)(cp - n1), NULL);
+ return ROFF_IGN;
+ }
/*
* Determine the size of the expanded argument,
Index: infinite.in
===================================================================
RCS file: /home/cvs/mdocml/mdocml/regress/roff/de/infinite.in,v
retrieving revision 1.1
retrieving revision 1.2
diff -Lregress/roff/de/infinite.in -Lregress/roff/de/infinite.in -u -p -r1.1 -r1.2
--- regress/roff/de/infinite.in
+++ regress/roff/de/infinite.in
@@ -7,6 +7,12 @@
.Sh DESCRIPTION
initial text
.de mym
+.Op \\$1 \\$2
+..
+.mym $1 \$1
+.mym \$1 nothing
+middle text
+.de mym
.mym
not printed
..
Index: infinite.out_ascii
===================================================================
RCS file: /home/cvs/mdocml/mdocml/regress/roff/de/infinite.out_ascii,v
retrieving revision 1.1
retrieving revision 1.2
diff -Lregress/roff/de/infinite.out_ascii -Lregress/roff/de/infinite.out_ascii -u -p -r1.1 -r1.2
--- regress/roff/de/infinite.out_ascii
+++ regress/roff/de/infinite.out_ascii
@@ -4,6 +4,6 @@ N\bNA\bAM\bME\bE
d\bde\be-\b-i\bin\bnf\bfi\bin\bni\bit\bte\be - inifinte recursion in a user-defined macro
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- initial text final text
+ initial text [$1 $1] middle text final text
OpenBSD March 7, 2017 OpenBSD
Index: infinite.out_lint
===================================================================
RCS file: /home/cvs/mdocml/mdocml/regress/roff/de/infinite.out_lint,v
retrieving revision 1.1
retrieving revision 1.2
diff -Lregress/roff/de/infinite.out_lint -Lregress/roff/de/infinite.out_lint -u -p -r1.1 -r1.2
--- regress/roff/de/infinite.out_lint
+++ regress/roff/de/infinite.out_lint
@@ -1 +1,2 @@
mandoc: infinite.in:13:5: ERROR: input stack limit exceeded, infinite loop?
+mandoc: infinite.in:19:5: ERROR: input stack limit exceeded, infinite loop?
--
To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-03-08 13:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-08 13:18 mdocml: prevent infinite recursion while expanding the arguments of a schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).