[groff] 16/82: [libgroff]: Handle ludicrously long input lines.

Mon, 14 Jul 2025 18:42:01 -0700 

gbranden pushed a commit to branch master
in repository groff.

commit 8f33603941602416cdb5cd0af1706a62f99d4567
Author: G. Branden Robinson <g.branden.robin...@gmail.com>
AuthorDate: Thu Jul 10 15:32:01 2025 -0500

    [libgroff]: Handle ludicrously long input lines.
    
    * src/libs/libgroff/font.cpp (text_file::next_line): Handle ludicrously
      long input line lengths by diagnosing the problem and cleanly
      aborting.
    
    Exhibit:
    
    $ rm build/font/devps/DESC
    $ make -C build font/devps/DESC
    [output elided]
    $ printf 'papersize ' >> build/font/devps/DESC
    $ dd if=/dev/zero of=/dev/stdout bs=1M count=8192 \
      | tr '\0' '@' >> build/font/devps/DESC
    [output elided]
    $ printf '\n' >> build/font/devps/DESC
    $ echo . | ./build/test-groff
    .../build/groff:.../build/font/devps/DESC:15: fatal error: line length 
exceeds 1073741824 bytes; aborting
---
 ChangeLog                  | 6 ++++++
 src/libs/libgroff/font.cpp | 8 ++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8ec27469f..711afa5e3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2025-07-10  G. Branden Robinson <g.branden.robin...@gmail.com>
+
+       * src/libs/libgroff/font.cpp (text_file::next_line): Handle
+       ludicrously long input line lengths by diagnosing the problem
+       and cleanly aborting.
+
 2025-07-10  G. Branden Robinson <g.branden.robin...@gmail.com>
 
        * src/libs/libgroff/font.cpp (text_file::next_line): Trivially
diff --git a/src/libs/libgroff/font.cpp b/src/libs/libgroff/font.cpp
index ce1907756..35564338a 100644
--- a/src/libs/libgroff/font.cpp
+++ b/src/libs/libgroff/font.cpp
@@ -127,11 +127,15 @@ bool text_file::next_line()
        error("invalid input character code %1", int(c));
       else {
        if (length + 1 >= linebufsize) {
+         int newbufsize = linebufsize * 2;
+         if (newbufsize < 0) // integer multiplication wrapped
+           fatal("line length exceeds %1 bytes; aborting",
+                 linebufsize);
          char *old_buf = buf;
-         buf = new char[linebufsize * 2];
+         buf = new char[newbufsize];
          memcpy(buf, old_buf, linebufsize);
          delete[] old_buf;
-         linebufsize *= 2;
+         linebufsize = newbufsize;
        }
        buf[length++] = c;
        if ('\n' == c)

_______________________________________________
groff-commit mailing list
groff-commit@gnu.org
https://lists.gnu.org/mailman/listinfo/groff-commit

Reply via email to