From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=T_SCC_BODY_TEXT_LINE, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 6418 invoked from network); 23 Apr 2022 14:02:51 -0000 Received: from bsd.lv (HELO mandoc.bsd.lv) (66.111.2.12) by inbox.vuxu.org with ESMTPUTF8; 23 Apr 2022 14:02:51 -0000 Received: from fantadrom.bsd.lv (localhost [127.0.0.1]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id a1c08851 for ; Sat, 23 Apr 2022 09:02:47 -0500 (EST) Received: from localhost (mandoc.bsd.lv [local]) by mandoc.bsd.lv (OpenSMTPD) with ESMTPA id f7d4c8e6 for ; Sat, 23 Apr 2022 09:02:47 -0500 (EST) Date: Sat, 23 Apr 2022 09:02:47 -0500 (EST) X-Mailinglist: mandoc-source Reply-To: source@mandoc.bsd.lv MIME-Version: 1.0 From: schwarze@mandoc.bsd.lv To: source@mandoc.bsd.lv Subject: mandoc: If the last data row of a tbl(7) contains nothing but a X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Message-ID: <33651302dfa9a1a2@mandoc.bsd.lv> Log Message: ----------- If the last data row of a tbl(7) contains nothing but a horizontal line, do not skip closing the table and cleaning up memory at the end of the table in the HTML output module. This bug resulted in skipping the tblcalc() function and reusing the existing roffcol array for the next tbl(7) processed. If the next table had more columns than the one ending with a horizontal line in the last data row, uninitialized memory was read, potentially resulting in near-infinite output. The bug was introduced in rev. 1.29 (2018/11/26) but only fully exposed by rev. 1.38 (2021/09/09). Until rev. 1.37, it could only cause misformatting and invalid HTML output syntax but not huge output because up to that point, the function did not use the roffcol array. Nasty bug found the hard way by Michael Stapelberg on the production server manpages.debian.org. Michael also supplied example files and excellent instructions how to reproduce the bug, which was very difficult because no real-world manual page is known that triggers the bug by itself, so to reproduce the bug, mandoc(1) had to be invoked with at least two file name arguments. Modified Files: -------------- mandoc: tbl_html.c Revision Data ------------- Index: tbl_html.c =================================================================== RCS file: /home/cvs/mandoc/mandoc/tbl_html.c,v retrieving revision 1.40 retrieving revision 1.41 diff -Ltbl_html.c -Ltbl_html.c -u -p -r1.40 -r1.41 --- tbl_html.c +++ tbl_html.c @@ -1,6 +1,7 @@ /* $Id$ */ /* - * Copyright (c) 2014,2015,2017,2018,2021 Ingo Schwarze + * Copyright (c) 2014, 2015, 2017, 2018, 2021, 2022 + * Ingo Schwarze * Copyright (c) 2011 Kristaps Dzonsons * * Permission to use, copy, modify, and distribute this software for any @@ -137,7 +138,7 @@ print_tbl(struct html *h, const struct t */ if (sp->pos != TBL_SPAN_DATA) - return; + goto out; /* Inhibit printing of spaces: we do padding ourselves. */ @@ -289,6 +290,7 @@ print_tbl(struct html *h, const struct t h->flags &= ~HTML_NONOSPACE; +out: if (sp->next == NULL) { assert(h->tbl.cols); free(h->tbl.cols); -- To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv