===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/mandoc/eqn.c,v
retrieving revision 1.47
retrieving revision 1.48
diff -c -r1.47 -r1.48
*** src/usr.bin/mandoc/eqn.c	2020/01/08 12:09:14	1.47
--- src/usr.bin/mandoc/eqn.c	2022/04/13 20:19:18	1.48
***************
*** 1,7 ****
! /*	$OpenBSD: eqn.c,v 1.47 2020/01/08 12:09:14 schwarze Exp $ */
  /*
   * Copyright (c) 2011, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
-  * Copyright (c) 2014,2015,2017,2018,2020 Ingo Schwarze <schwarze@openbsd.org>
   *
   * Permission to use, copy, modify, and distribute this software for any
   * purpose with or without fee is hereby granted, provided that the above
--- 1,8 ----
! /* $OpenBSD: eqn.c,v 1.48 2022/04/13 20:19:18 schwarze Exp $ */
  /*
+  * Copyright (c) 2014, 2015, 2017, 2018, 2020, 2022
+  *               Ingo Schwarze <schwarze@openbsd.org>
   * Copyright (c) 2011, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
   *
   * Permission to use, copy, modify, and distribute this software for any
   * purpose with or without fee is hereby granted, provided that the above
***************
*** 373,391 ****
  static enum eqn_tok
  eqn_next(struct eqn_node *ep, enum parse_mode mode)
  {
- 	static int	 last_len, lim;
- 
  	struct eqn_def	*def;
  	size_t		 start;
! 	int		 diff, i, quoted;
  	enum eqn_tok	 tok;
  
  	/*
  	 * Reset the recursion counter after advancing
! 	 * beyond the end of the previous substitution.
  	 */
! 	if (ep->end - ep->data >= last_len)
! 		lim = 0;
  
  	ep->start = ep->end;
  	quoted = mode == MODE_QUOTED;
--- 374,390 ----
  static enum eqn_tok
  eqn_next(struct eqn_node *ep, enum parse_mode mode)
  {
  	struct eqn_def	*def;
  	size_t		 start;
! 	int		 diff, i, newlen, quoted;
  	enum eqn_tok	 tok;
  
  	/*
  	 * Reset the recursion counter after advancing
! 	 * beyond the end of the rightmost substitution.
  	 */
! 	if (ep->end - ep->data >= ep->sublen)
! 		ep->subcnt = 0;
  
  	ep->start = ep->end;
  	quoted = mode == MODE_QUOTED;
***************
*** 432,441 ****
  			return EQN_TOK__MAX;
  		if ((def = eqn_def_find(ep)) == NULL)
  			break;
! 		if (++lim > EQN_NEST_MAX) {
  			mandoc_msg(MANDOCERR_ROFFLOOP,
  			    ep->node->line, ep->node->pos, NULL);
! 			return EQN_TOK_EOF;
  		}
  
  		/* Replace a defined name with its string value. */
--- 431,440 ----
  			return EQN_TOK__MAX;
  		if ((def = eqn_def_find(ep)) == NULL)
  			break;
! 		if (++ep->subcnt > EQN_NEST_MAX) {
  			mandoc_msg(MANDOCERR_ROFFLOOP,
  			    ep->node->line, ep->node->pos, NULL);
! 			break;
  		}
  
  		/* Replace a defined name with its string value. */
***************
*** 444,455 ****
  			ep->sz += diff;
  			ep->data = mandoc_realloc(ep->data, ep->sz + 1);
  			ep->start = ep->data + start;
  		}
  		if (diff)
  			memmove(ep->start + def->valsz, ep->start + ep->toksz,
  			    strlen(ep->start + ep->toksz) + 1);
  		memcpy(ep->start, def->val, def->valsz);
! 		last_len = ep->start - ep->data + def->valsz;
  	}
  	if (mode != MODE_TOK)
  		return quoted ? EQN_TOK_QUOTED : EQN_TOK__MAX;
--- 443,457 ----
  			ep->sz += diff;
  			ep->data = mandoc_realloc(ep->data, ep->sz + 1);
  			ep->start = ep->data + start;
+ 			ep->sublen += diff;
  		}
  		if (diff)
  			memmove(ep->start + def->valsz, ep->start + ep->toksz,
  			    strlen(ep->start + ep->toksz) + 1);
  		memcpy(ep->start, def->val, def->valsz);
! 		newlen = ep->start - ep->data + def->valsz;
! 		if (ep->sublen < newlen)
! 			ep->sublen = newlen;
  	}
  	if (mode != MODE_TOK)
  		return quoted ? EQN_TOK_QUOTED : EQN_TOK__MAX;
***************
*** 676,681 ****
--- 678,685 ----
  		return;
  
  	ep->start = ep->end = ep->data;
+ 	ep->sublen = 0;
+ 	ep->subcnt = 0;
  
  next_tok:
  	tok = eqn_next(ep, MODE_TOK);