From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=T_SCC_BODY_TEXT_LINE, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 21578 invoked from network); 24 Apr 2022 13:39:22 -0000 Received: from bsd.lv (HELO mandoc.bsd.lv) (66.111.2.12) by inbox.vuxu.org with ESMTPUTF8; 24 Apr 2022 13:39:22 -0000 Received: from fantadrom.bsd.lv (localhost [127.0.0.1]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id d3182e06 for ; Sun, 24 Apr 2022 08:39:19 -0500 (EST) Received: from localhost (mandoc.bsd.lv [local]) by mandoc.bsd.lv (OpenSMTPD) with ESMTPA id f74cd1ed for ; Sun, 24 Apr 2022 08:39:19 -0500 (EST) Date: Sun, 24 Apr 2022 08:39:19 -0500 (EST) X-Mailinglist: mandoc-source Reply-To: source@mandoc.bsd.lv MIME-Version: 1.0 From: schwarze@mandoc.bsd.lv To: source@mandoc.bsd.lv Subject: mandoc: If a .shift request has a negative argument, do not use a X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Message-ID: <336513f2c1872280@mandoc.bsd.lv> Log Message: ----------- If a .shift request has a negative argument, do not use a negative array index but use 0 instead of the argument, just like groff. Warn about the invalid argument. While here, fix the column number in another warning message. Segfault reported by tb@, found with afl(1). Modified Files: -------------- mandoc: mandoc.1 mandoc.h mandoc_msg.c roff.c mandoc/regress/roff/shift: bad.in bad.out_ascii bad.out_lint Revision Data ------------- Index: mandoc_msg.c =================================================================== RCS file: /home/cvs/mandoc/mandoc/mandoc_msg.c,v retrieving revision 1.16 retrieving revision 1.17 diff -Lmandoc_msg.c -Lmandoc_msg.c -u -p -r1.16 -r1.17 --- mandoc_msg.c +++ mandoc_msg.c @@ -1,6 +1,6 @@ /* $OpenBSD: mandoc_msg.c,v 1.8 2020/01/19 17:59:01 schwarze Exp $ */ /* - * Copyright (c) 2014-2021 Ingo Schwarze + * Copyright (c) 2014-2022 Ingo Schwarze * Copyright (c) 2010, 2011 Kristaps Dzonsons * * Permission to use, copy, modify, and distribute this software for any @@ -216,6 +216,7 @@ static const char *const type_message[MA "escaped character not allowed in a name", "using macro argument outside macro", "argument number is not numeric", + "negative argument, using 0", "NOT IMPLEMENTED: Bd -file", "skipping display without arguments", "missing list type, using -item", Index: mandoc.h =================================================================== RCS file: /home/cvs/mandoc/mandoc/mandoc.h,v retrieving revision 1.274 retrieving revision 1.275 diff -Lmandoc.h -Lmandoc.h -u -p -r1.274 -r1.275 --- mandoc.h +++ mandoc.h @@ -1,6 +1,6 @@ /* $Id$ */ /* - * Copyright (c) 2012-2021 Ingo Schwarze + * Copyright (c) 2012-2022 Ingo Schwarze * Copyright (c) 2010, 2011, 2014 Kristaps Dzonsons * * Permission to use, copy, modify, and distribute this software for any @@ -215,6 +215,7 @@ enum mandocerr { MANDOCERR_NAMESC, /* escaped character not allowed in a name: name */ MANDOCERR_ARG_UNDEF, /* using macro argument outside macro */ MANDOCERR_ARG_NONUM, /* argument number is not numeric */ + MANDOCERR_ARG_NEG, /* negative argument, using 0: request arg */ MANDOCERR_BD_FILE, /* NOT IMPLEMENTED: Bd -file */ MANDOCERR_BD_NOARG, /* skipping display without arguments: Bd */ MANDOCERR_BL_NOTYPE, /* missing list type, using -item: Bl */ Index: mandoc.1 =================================================================== RCS file: /home/cvs/mandoc/mandoc/mandoc.1,v retrieving revision 1.256 retrieving revision 1.257 diff -Lmandoc.1 -Lmandoc.1 -u -p -r1.256 -r1.257 --- mandoc.1 +++ mandoc.1 @@ -1,6 +1,6 @@ .\" $Id$ .\" -.\" Copyright (c) 2012, 2014-2021 Ingo Schwarze +.\" Copyright (c) 2012, 2014-2022 Ingo Schwarze .\" Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -2082,6 +2082,13 @@ and expands to the empty string. .Pq roff The argument of the escape sequence \e$ is not a digit; the escape sequence expands to the empty string. +.It Sy "negative argument, using 0" +.Pq roff +A +.Ic \&shift +request has a negative argument +or an argument that is negative due to integer overflow. +Macro argument numbering remains unchanged. .It Sy "NOT IMPLEMENTED: Bd -file" .Pq mdoc For security reasons, the Index: roff.c =================================================================== RCS file: /home/cvs/mandoc/mandoc/roff.c,v retrieving revision 1.381 retrieving revision 1.382 diff -Lroff.c -Lroff.c -u -p -r1.381 -r1.382 --- roff.c +++ roff.c @@ -3870,8 +3870,9 @@ static int roff_shift(ROFF_ARGS) { struct mctx *ctx; - int levels, i; + int argpos, levels, i; + argpos = pos; levels = 1; if (buf->buf[pos] != '\0' && roff_evalnum(r, ln, buf->buf, &pos, &levels, 0) == 0) { @@ -3886,8 +3887,12 @@ roff_shift(ROFF_ARGS) ctx = r->mstack + r->mstackpos; if (levels > ctx->argc) { mandoc_msg(MANDOCERR_SHIFT, - ln, pos, "%d, but max is %d", levels, ctx->argc); + ln, argpos, "%d, but max is %d", levels, ctx->argc); levels = ctx->argc; + } + if (levels < 0) { + mandoc_msg(MANDOCERR_ARG_NEG, ln, argpos, "shift %d", levels); + levels = 0; } if (levels == 0) return ROFF_IGN; Index: bad.out_lint =================================================================== RCS file: /home/cvs/mandoc/mandoc/regress/roff/shift/bad.out_lint,v retrieving revision 1.1 retrieving revision 1.2 diff -Lregress/roff/shift/bad.out_lint -Lregress/roff/shift/bad.out_lint -u -p -r1.1 -r1.2 --- regress/roff/shift/bad.out_lint +++ regress/roff/shift/bad.out_lint @@ -3,5 +3,6 @@ mandoc: bad.in:15:2: ERROR: ignoring req mandoc: bad.in:17:31: ERROR: argument number is not numeric: \$x mandoc: bad.in:19:28: ERROR: using macro argument outside macro: \$1 mandoc: bad.in:20:2: ERROR: ignoring request outside macro: shift -mandoc: bad.in:28:8: ERROR: argument is not numeric, using 1: shift badarg -mandoc: bad.in:28:9: ERROR: excessive shift: 2, but max is 1 +mandoc: bad.in:32:8: ERROR: argument is not numeric, using 1: shift badarg +mandoc: bad.in:32:8: ERROR: negative argument, using 0: shift -1 +mandoc: bad.in:32:8: ERROR: excessive shift: 2, but max is 1 Index: bad.out_ascii =================================================================== RCS file: /home/cvs/mandoc/mandoc/regress/roff/shift/bad.out_ascii,v retrieving revision 1.2 retrieving revision 1.3 diff -Lregress/roff/shift/bad.out_ascii -Lregress/roff/shift/bad.out_ascii -u -p -r1.2 -r1.3 --- regress/roff/shift/bad.out_ascii +++ regress/roff/shift/bad.out_ascii @@ -14,8 +14,10 @@ DDEESSCCRRIIPPTTIIOONN argument used after call: "" - after shift badarg: "arg2" after excessive shift: 0 "" + after shift badarg: "arg2" + after shift -1: "arg2" + after excessive shift: 0 "" final text -OpenBSD August 23, 2018 SHIFT_BAD(1) +OpenBSD April 24, 2022 SHIFT_BAD(1) Index: bad.in =================================================================== RCS file: /home/cvs/mandoc/mandoc/regress/roff/shift/bad.in,v retrieving revision 1.1 retrieving revision 1.2 diff -Lregress/roff/shift/bad.in -Lregress/roff/shift/bad.in -u -p -r1.1 -r1.2 --- regress/roff/shift/bad.in +++ regress/roff/shift/bad.in @@ -1,5 +1,5 @@ -.\" $OpenBSD: bad.in,v 1.1 2018/08/23 14:16:12 schwarze Exp $ -.TH SHIFT_BAD 1 "August 23, 2018" +.\" $OpenBSD: bad.in,v 1.2 2022/04/24 13:34:53 schwarze Exp $ +.TH SHIFT_BAD 1 "April 24, 2022" .SH NAME .B shift-bad \(en wrong usage of macro arguments @@ -22,6 +22,10 @@ argument used after call: "\$1" .de mym .shift badarg after shift badarg: "\\$1" +.br +.shift -1 +after shift \-1: "\\$1" +.br .shift 2 after excessive shift: \\n(.$ "\\$1" .. -- To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv