CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2017/02/16 20:01:39
Modified files:
usr.bin/mandoc : roff.c
Log message:
Fix a read buffer overrun that copied random data from memory into
text nodes when a string passed to deroff() ended in a backslash
and the byte after the terminating NUL was non-NUL, found by tb@
with afl(1).
Invalid bytes so copied with the high bit set could later sometimes
trigger another out of bounds read access to static memory in
roff_strdup(), so add an assertion there to abort safely in case
of similar data corruption.
