===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/mandoc/roff.c,v
retrieving revision 1.116
retrieving revision 1.117
diff -c -r1.116 -r1.117
*** src/usr.bin/mandoc/roff.c	2014/12/18 17:43:07	1.116
--- src/usr.bin/mandoc/roff.c	2014/12/25 17:18:40	1.117
***************
*** 1,4 ****
! /*	$OpenBSD: roff.c,v 1.116 2014/12/18 17:43:07 schwarze Exp $ */
  /*
   * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
   * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
--- 1,4 ----
! /*	$OpenBSD: roff.c,v 1.117 2014/12/25 17:18:40 schwarze Exp $ */
  /*
   * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
   * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
***************
*** 19,24 ****
--- 19,25 ----
  
  #include <assert.h>
  #include <ctype.h>
+ #include <limits.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
***************
*** 655,660 ****
--- 656,667 ----
  		*stesc = '\0';
  		buf->sz = mandoc_asprintf(&nbuf, "%s%s%s",
  		    buf->buf, res, cp) + 1;
+ 
+ 		if (buf->sz > SHRT_MAX) {
+ 			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+ 			    ln, (int)(stesc - buf->buf), NULL);
+ 			return(ROFF_IGN);
+ 		}
  
  		/* Prepare for the next replacement. */