From 835540e0c710d0fcef85cc4e79f3200d559bc2c9 Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Tue, 1 Sep 2020 18:25:27 +0000 Subject: Ignore unreasonably large spacing modifiers in tbl layouts. Jan Schreiber ran afl on mandoc and it turned out mandoc tried to use spacing modifiers so large that they would trigger assertion failures in term_ascii.c, function locale_advance(). --- tbl_layout.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'tbl_layout.c') diff --git a/tbl_layout.c b/tbl_layout.c index 58599705..b25677a2 100644 --- a/tbl_layout.c +++ b/tbl_layout.c @@ -1,4 +1,4 @@ -/* $Id: tbl_layout.c,v 1.48 2018/12/14 05:18:03 schwarze Exp $ */ +/* $Id: tbl_layout.c,v 1.49 2020/09/01 18:25:28 schwarze Exp $ */ /* * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons * Copyright (c) 2012, 2014, 2015, 2017 Ingo Schwarze @@ -65,6 +65,7 @@ mods(struct tbl_node *tbl, struct tbl_cell *cp, int ln, const char *p, int *pos) { char *endptr; + unsigned long spacing; size_t sz; mod: @@ -93,7 +94,11 @@ mod: /* Parse numerical spacing from modifier string. */ if (isdigit((unsigned char)p[*pos])) { - cp->spacing = strtoull(p + *pos, &endptr, 10); + if ((spacing = strtoul(p + *pos, &endptr, 10)) > 9) + mandoc_msg(MANDOCERR_TBLLAYOUT_SPC, ln, *pos, + "%lu", spacing); + else + cp->spacing = spacing; *pos = endptr - p; goto mod; } -- cgit v1.2.3