[groff] 02/39: [pic]: Improve fix for Savannah #67899.

Tue, 13 Jan 2026 09:44:31 -0800 

gbranden pushed a commit to branch master
in repository groff.

commit ed72efb9ea9f9931ce8e49eefb1ede3759d92c20
Author: G. Branden Robinson <[email protected]>
AuthorDate: Sat Jan 10 12:53:08 2026 -0600

    [pic]: Improve fix for Savannah #67899.
    
    * src/preproc/pic/lex.cpp (interpolate_macro_with_args): Shift more
      logic inside the `!ignore` conditional; this way we correctly handle
      the case of a non-empty 33rd macro argument.  We were no longer
      smashing the stack with a list of pointers of user-controlled length,
      but we were permitting the stack memory at a location one past the end
      of the `argv` array to be written to.
    
    Continues fixing <https://savannah.gnu.org/bugs/?67899>.
---
 ChangeLog               | 14 ++++++++++++++
 src/preproc/pic/lex.cpp |  8 ++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fc6f01d57..77afdb529 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2026-01-10  G. Branden Robinson <[email protected]>
+
+       [pic]: Improve fix for Savannah #67899.
+
+       * src/preproc/pic/lex.cpp (interpolate_macro_with_args): Shift
+       more logic inside the `!ignore` conditional; this way we
+       correctly handle the case of a non-empty 33rd macro argument.
+       We were no longer smashing the stack with a list of pointers of
+       user-controlled length, but we were permitting the stack memory
+       at a location one past the end of the `argv` array to be
+       written to.
+
+       Continues fixing <https://savannah.gnu.org/bugs/?67899>.
+
 2026-01-09  G. Branden Robinson <[email protected]>
 
        * src/roff/groff/groff.cpp (main): Bump ending year of copyright
diff --git a/src/preproc/pic/lex.cpp b/src/preproc/pic/lex.cpp
index 0cf109bd4..247ec67e6 100644
--- a/src/preproc/pic/lex.cpp
+++ b/src/preproc/pic/lex.cpp
@@ -414,10 +414,10 @@ void interpolate_macro_with_args(const char *body)
                MAX_ARG);
            ignore = 1;
          }
-       }
-       if (token_buffer.length() > 0) {
-         token_buffer += '\0';
-         argv[argc] = strsave(token_buffer.contents());
+         else if (token_buffer.length() > 0) {
+           token_buffer += '\0';
+           argv[argc] = strsave(token_buffer.contents());
+         }
        }
        // for 'foo()', argc = 0
        if (argc > 0 || c != ')' || i > 0)

_______________________________________________
groff-commit mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/groff-commit

Reply via email to