From: schwarze@mandoc.bsd.lv
To: source@mandoc.bsd.lv
Subject: mandoc: If the last data row of a tbl(7) contains nothing but a
Date: Sat, 23 Apr 2022 09:02:47 -0500 (EST) [thread overview]
Message-ID: <33651302dfa9a1a2@mandoc.bsd.lv> (raw)
Log Message:
-----------
If the last data row of a tbl(7) contains nothing but a horizontal line,
do not skip closing the table and cleaning up memory at the end of the
table in the HTML output module.
This bug resulted in skipping the tblcalc() function and reusing
the existing roffcol array for the next tbl(7) processed. If the
next table had more columns than the one ending with a horizontal
line in the last data row, uninitialized memory was read, potentially
resulting in near-infinite output.
The bug was introduced in rev. 1.29 (2018/11/26) but only fully exposed
by rev. 1.38 (2021/09/09). Until rev. 1.37, it could only cause
misformatting and invalid HTML output syntax but not huge output
because up to that point, the function did not use the roffcol array.
Nasty bug found the hard way by Michael Stapelberg on the production
server manpages.debian.org. Michael also supplied example files
and excellent instructions how to reproduce the bug, which was very
difficult because no real-world manual page is known that triggers
the bug by itself, so to reproduce the bug, mandoc(1) had to be
invoked with at least two file name arguments.
Modified Files:
--------------
mandoc:
tbl_html.c
Revision Data
-------------
Index: tbl_html.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/tbl_html.c,v
retrieving revision 1.40
retrieving revision 1.41
diff -Ltbl_html.c -Ltbl_html.c -u -p -r1.40 -r1.41
--- tbl_html.c
+++ tbl_html.c
@@ -1,6 +1,7 @@
/* $Id$ */
/*
- * Copyright (c) 2014,2015,2017,2018,2021 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2014, 2015, 2017, 2018, 2021, 2022
+ * Ingo Schwarze <schwarze@openbsd.org>
* Copyright (c) 2011 Kristaps Dzonsons <kristaps@bsd.lv>
*
* Permission to use, copy, modify, and distribute this software for any
@@ -137,7 +138,7 @@ print_tbl(struct html *h, const struct t
*/
if (sp->pos != TBL_SPAN_DATA)
- return;
+ goto out;
/* Inhibit printing of spaces: we do padding ourselves. */
@@ -289,6 +290,7 @@ print_tbl(struct html *h, const struct t
h->flags &= ~HTML_NONOSPACE;
+out:
if (sp->next == NULL) {
assert(h->tbl.cols);
free(h->tbl.cols);
--
To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv
reply other threads:[~2022-04-23 14:02 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=33651302dfa9a1a2@mandoc.bsd.lv \
--to=schwarze@mandoc.bsd.lv \
--cc=source@mandoc.bsd.lv \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).