Follow-up Comment #5, bug #67899 (group groff): I expect the following refinement of the fix to be in my next push.
commit ed72efb9ea9f9931ce8e49eefb1ede3759d92c20 Author: G. Branden Robinson <[email protected]> AuthorDate: Sat Jan 10 12:53:08 2026 -0600 Commit: G. Branden Robinson <[email protected]> CommitDate: Sat Jan 10 12:53:08 2026 -0600 [pic]: Improve fix for Savannah #67899. * src/preproc/pic/lex.cpp (interpolate_macro_with_args): Shift more logic inside the `!ignore` conditional; this way we correctly handle the case of a non-empty 33rd macro argument. We were no longer smashing the stack with a list of pointers of user-controlled length, but we were permitting the stack memory at a location one past the end of the `argv` array to be written to. Continues fixing <https://savannah.gnu.org/bugs/?67899>. diff --git a/src/preproc/pic/lex.cpp b/src/preproc/pic/lex.cpp index 0cf109bd4..247ec67e6 100644 --- a/src/preproc/pic/lex.cpp +++ b/src/preproc/pic/lex.cpp @@ -414,10 +414,10 @@ void interpolate_macro_with_args(const char *body) MAX_ARG); ignore = 1; } - } - if (token_buffer.length() > 0) { - token_buffer += '\0'; - argv[argc] = strsave(token_buffer.contents()); + else if (token_buffer.length() > 0) { + token_buffer += '\0'; + argv[argc] = strsave(token_buffer.contents()); + } } // for 'foo()', argc = 0 if (argc > 0 || c != ')' || i > 0) _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/bugs/?67899> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/
signature.asc
Description: PGP signature
