=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/mandoc/roff.c,v retrieving revision 1.163 retrieving revision 1.164 diff -c -r1.163 -r1.164 *** src/usr.bin/mandoc/roff.c 2017/03/03 13:55:06 1.163 --- src/usr.bin/mandoc/roff.c 2017/03/08 13:17:28 1.164 *************** *** 1,4 **** ! /* $OpenBSD: roff.c,v 1.163 2017/03/03 13:55:06 schwarze Exp $ */ /* * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons * Copyright (c) 2010-2015, 2017 Ingo Schwarze --- 1,4 ---- ! /* $OpenBSD: roff.c,v 1.164 2017/03/08 13:17:28 schwarze Exp $ */ /* * Copyright (c) 2008-2012, 2014 Kristaps Dzonsons * Copyright (c) 2010-2015, 2017 Ingo Schwarze *************** *** 3036,3042 **** { const char *arg[9], *ap; char *cp, *n1, *n2; ! int i, ib, ie; size_t asz, rsz; /* --- 3036,3042 ---- { const char *arg[9], *ap; char *cp, *n1, *n2; ! int expand_count, i, ib, ie; size_t asz, rsz; /* *************** *** 3060,3067 **** */ buf->sz = strlen(r->current_string) + 1; ! n1 = cp = mandoc_malloc(buf->sz); memcpy(n1, r->current_string, buf->sz); while (*cp != '\0') { /* Scan ahead for the next argument invocation. */ --- 3060,3068 ---- */ buf->sz = strlen(r->current_string) + 1; ! n1 = n2 = cp = mandoc_malloc(buf->sz); memcpy(n1, r->current_string, buf->sz); + expand_count = 0; while (*cp != '\0') { /* Scan ahead for the next argument invocation. */ *************** *** 3079,3084 **** --- 3080,3097 ---- continue; } cp -= 2; + + /* + * Prevent infinite recursion. + */ + + if (cp >= n2) + expand_count = 1; + else if (++expand_count > EXPAND_LIMIT) { + mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, + ln, (int)(cp - n1), NULL); + return ROFF_IGN; + } /* * Determine the size of the expanded argument,