From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from localhost (fantadrom.bsd.lv [local]); by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id 974ef102; for ; Thu, 1 Jan 2015 14:29:20 -0500 (EST) Date: Thu, 1 Jan 2015 14:29:20 -0500 (EST) Message-Id: <8565126241349528731.enqueue@fantadrom.bsd.lv> X-Mailinglist: mdocml-source Reply-To: source@mdocml.bsd.lv MIME-Version: 1.0 From: schwarze@mdocml.bsd.lv To: source@mdocml.bsd.lv Subject: mdocml: Fix a buffer overrun triggered by a trailing backslash at EOF in X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Log Message: ----------- Fix a buffer overrun triggered by a trailing backslash at EOF in an unclosed conditional body. If the memory contained the byte sequence "\}" after the end of the buffer before the next NUL, this could even write beyond the end of the buffer, specifically '&' to the location of the '}'. Found by jsg@ with afl. Modified Files: -------------- mdocml: roff.c Revision Data ------------- Index: roff.c =================================================================== RCS file: /home/cvs/mdocml/mdocml/roff.c,v retrieving revision 1.246 retrieving revision 1.247 diff -Lroff.c -Lroff.c -u -p -r1.246 -r1.247 --- roff.c +++ roff.c @@ -1,7 +1,7 @@ /* $Id$ */ /* - * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons - * Copyright (c) 2010-2014 Ingo Schwarze + * Copyright (c) 2010, 2011, 2012, 2014 Kristaps Dzonsons + * Copyright (c) 2010-2015 Ingo Schwarze * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -1163,7 +1163,8 @@ roff_cond_sub(ROFF_ARGS) *ep = '&'; roff_ccond(r, ln, ep - buf->buf - 1); } - ++ep; + if (*ep != '\0') + ++ep; } return(rr ? ROFF_CONT : ROFF_IGN); } @@ -1183,7 +1184,8 @@ roff_cond_text(ROFF_ARGS) *ep = '&'; roff_ccond(r, ln, ep - buf->buf - 1); } - ++ep; + if (*ep != '\0') + ++ep; } return(rr ? ROFF_CONT : ROFF_IGN); } -- To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv