From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from scc-mailout.scc.kit.edu (scc-mailout.scc.kit.edu [129.13.185.202]) by krisdoz.my.domain (8.14.3/8.14.3) with ESMTP id p8INhUec009275 for ; Sun, 18 Sep 2011 19:43:33 -0400 (EDT) Received: from hekate.usta.de (asta-nat.asta.uni-karlsruhe.de [172.22.63.82]) by scc-mailout-02.scc.kit.edu with esmtp (Exim 4.72 #1) id 1R5R1E-0004qZ-0r; Mon, 19 Sep 2011 01:43:28 +0200 Received: from donnerwolke.usta.de ([172.24.96.3]) by hekate.usta.de with esmtp (Exim 4.72) (envelope-from ) id 1R5R1F-0001ZP-67 for tech@mdocml.bsd.lv; Mon, 19 Sep 2011 01:43:29 +0200 Received: from iris.usta.de ([172.24.96.5] helo=usta.de) by donnerwolke.usta.de with esmtp (Exim 4.69) (envelope-from ) id 1R5R1B-0001Md-0L for tech@mdocml.bsd.lv; Mon, 19 Sep 2011 01:43:25 +0200 Received: from schwarze by usta.de with local (Exim 4.72) (envelope-from ) id 1R5QsJ-0007jZ-FN for tech@mdocml.bsd.lv; Mon, 19 Sep 2011 01:34:15 +0200 Date: Mon, 19 Sep 2011 01:34:15 +0200 From: Ingo Schwarze To: tech@mdocml.bsd.lv Subject: 1.11.7 regression: infinite loop in roff_res() Message-ID: <20110918233415.GJ29692@iris.usta.de> X-Mailinglist: mdocml-tech Reply-To: tech@mdocml.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) CVSROOT: /cvs Module name: src Changes by: schwarze@cvs.openbsd.org 2011/09/18 17:26:18 Modified files: usr.bin/mandoc : roff.c Log message: Fix another regression introduced in 1.11.7: If a string is defined in terms of itself, the REPARSE_LIMIT in read.c used to break the cycle. This no longer works since all the work is now done in the function roff_res(), looping indefinitely. Make this loop finite by arbitrarily limiting the number of times one string may be expanded; when that limit is reached, leave the remaining string references unexpanded. This changes behaviour compared to 1.11.5, where the whole line would have been dropped. The new behaviour is better because it loses less information. We don't want to imitate groff-1.20.1 behaviour anyway because groff aborts parsing of the whole file. OK to commit to bsd.lv as well? Ingo Index: roff.c =================================================================== RCS file: /cvs/src/usr.bin/mandoc/roff.c,v retrieving revision 1.42 diff -u -p -r1.42 roff.c --- roff.c 18 Sep 2011 15:54:48 -0000 1.42 +++ roff.c 18 Sep 2011 23:01:05 -0000 @@ -27,6 +27,9 @@ /* Maximum number of nested if-else conditionals. */ #define RSTACK_MAX 128 +/* Maximum number of string expansions per line, to break infinite loops. */ +#define EXPAND_LIMIT 1000 + enum rofft { ROFF_ad, ROFF_am, @@ -433,10 +436,12 @@ roff_res(struct roff *r, char **bufp, si const char *stnam; /* start of the name, after "[(*" */ const char *cp; /* end of the name, e.g. before ']' */ const char *res; /* the string to be substituted */ - int i, maxl; + int i, maxl, expand_count; size_t nsz; char *n; + expand_count = 0; + again: cp = *bufp + pos; while (NULL != (cp = strchr(cp, '\\'))) { @@ -531,7 +536,13 @@ again: *bufp = n; *szp = nsz; - goto again; + + if (EXPAND_LIMIT >= ++expand_count) + goto again; + + /* Just leave the string unexpanded. */ + mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, ln, pos, NULL); + return; } } -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv