From 63ba33671bfb5f26d7f5742a00291b8436cb1b7d Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Fri, 16 Mar 2018 20:41:41 +0000
Subject: Ouch, fix previous:  In the edge case of a single-character string
 containing nothing but a single hyphen, the pointer got incremented twice at
 one point, causing a read overrun found by naddy@.

---
 mdoc_validate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mdoc_validate.c b/mdoc_validate.c
index a6e3d5e7..8ed827ea 100644
--- a/mdoc_validate.c
+++ b/mdoc_validate.c
@@ -1,4 +1,4 @@
-/*	$Id: mdoc_validate.c,v 1.355 2018/03/16 15:05:44 schwarze Exp $ */
+/*	$Id: mdoc_validate.c,v 1.356 2018/03/16 20:41:41 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2018 Ingo Schwarze <schwarze@openbsd.org>
@@ -412,8 +412,9 @@ check_text_em(struct roff_man *mdoc, int ln, int pos, char *p)
 	/* Look for em-dashes wrongly encoded as "--". */
 
 	for (cp = p; *cp != '\0'; cp++) {
-		if (*cp != '-' || *++cp != '-')
+		if (cp[0] != '-' || cp[1] != '-')
 			continue;
+		cp++;
 
 		/* Skip input sequences of more than two '-'. */
 
-- 
cgit v1.2.3