gbranden pushed a commit to branch master
in repository groff.
commit d66fd2256f346010b975ced3f66efed473bfeb81
Author: G. Branden Robinson <[email protected]>
AuthorDate: Fri Jan 9 11:05:31 2026 -0600
[pic]: Fix Savannah #67899.
* src/preproc/pic/lex.cpp (interpolate_macro_with_args): Shift test of
argument count so that it is performed for empty arguments as well as
populated ones. The misplacement of the test made it possible to
defeat that test by supplying an empty 32nd argument to a macro,
consequently overrunning stack storage allocated for this function's
local `argv` array.
Fixes <https://savannah.gnu.org/bugs/?67899>. Thanks to John de Armas
for the report and a reproducer, based on the "jumperblock" example from
our "doc/pic.ms" file. Problem appears to date back to groff's birth.
Also recast the warning diagnostic thrown in this situation to make it
clear that pic is talking about its own macro facility, not a *roff
formatter's.
---
ChangeLog | 16 ++++++++++++++++
src/preproc/pic/lex.cpp | 18 +++++++++---------
2 files changed, 25 insertions(+), 9 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 7992b27ff..2f774209e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2026-01-09 G. Branden Robinson <[email protected]>
+
+ [pic]: Fix Savannah #67899.
+
+ * src/preproc/pic/lex.cpp (interpolate_macro_with_args): Shift
+ test of argument count so that it is performed for empty
+ arguments as well as populated ones. The misplacement of the
+ test made it possible to defeat that test by supplying an empty
+ 32nd argument to a macro, consequently overrunning stack storage
+ allocated for this function's local `argv` array.
+
+ Fixes <https://savannah.gnu.org/bugs/?67899>. Thanks to John de
+ Armas for the report and a reproducer, based on the
+ "jumperblock" example from our "doc/pic.ms" file. Problem
+ appears to date back to groff's birth.
+
2026-01-09 G. Branden Robinson <[email protected]>
[pic]: Regression-test Savannah #67899.
diff --git a/src/preproc/pic/lex.cpp b/src/preproc/pic/lex.cpp
index ede78c8b6..0cf109bd4 100644
--- a/src/preproc/pic/lex.cpp
+++ b/src/preproc/pic/lex.cpp
@@ -408,17 +408,17 @@ void interpolate_macro_with_args(const char *body)
break;
}
if (state == NORMAL && level == 0 && (c == ',' || c == ')')) {
- if (token_buffer.length() > 0) {
- token_buffer += '\0';
- if (!ignore) {
- if (argc == MAX_ARG) {
- lex_warning("only %1 macro arguments supported", MAX_ARG);
- ignore = 1;
- }
- else
- argv[argc] = strsave(token_buffer.contents());
+ if (!ignore) {
+ if (argc == MAX_ARG) {
+ lex_warning("pic supports at most %1 macro arguments",
+ MAX_ARG);
+ ignore = 1;
}
}
+ if (token_buffer.length() > 0) {
+ token_buffer += '\0';
+ argv[argc] = strsave(token_buffer.contents());
+ }
// for 'foo()', argc = 0
if (argc > 0 || c != ')' || i > 0)
if (!ignore)
_______________________________________________
groff-commit mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/groff-commit
