From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from localhost (fantadrom.bsd.lv [local])
	by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id 72294c73
	for <source@mandoc.bsd.lv>;
	Fri, 16 Mar 2018 15:42:12 -0500 (EST)
Date: Fri, 16 Mar 2018 15:42:12 -0500 (EST)
X-Mailinglist: mandoc-source
Reply-To: source@mandoc.bsd.lv
MIME-Version: 1.0
From: schwarze@mandoc.bsd.lv
To: source@mandoc.bsd.lv
Subject: mandoc: Ouch, fix previous:  In the edge case of a single-character 
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8
Message-Id: <84f50dfd5e5d224e@fantadrom.bsd.lv>

Log Message:
-----------
Ouch, fix previous:  In the edge case of a single-character string
containing nothing but a single hyphen, the pointer got incremented
twice at one point, causing a read overrun found by naddy@.

Modified Files:
--------------
    mandoc:
        mdoc_validate.c

Revision Data
-------------
Index: mdoc_validate.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/mdoc_validate.c,v
retrieving revision 1.355
retrieving revision 1.356
diff -Lmdoc_validate.c -Lmdoc_validate.c -u -p -r1.355 -r1.356
--- mdoc_validate.c
+++ mdoc_validate.c
@@ -412,8 +412,9 @@ check_text_em(struct roff_man *mdoc, int
 	/* Look for em-dashes wrongly encoded as "--". */
 
 	for (cp = p; *cp != '\0'; cp++) {
-		if (*cp != '-' || *++cp != '-')
+		if (cp[0] != '-' || cp[1] != '-')
 			continue;
+		cp++;
 
 		/* Skip input sequences of more than two '-'. */
 
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv