gbranden pushed a commit to branch master
in repository groff.
commit d043e8a1c98a2016a8539939a4cbfd99cabbbd77
Author: G. Branden Robinson <[email protected]>
AuthorDate: Wed Jun 24 20:09:32 2026 -0500
[pic]: Limit size of heap-allocated array.
* src/preproc/pic/object.cpp (graphic_object::add_text): Add new local
constant `max_text_pieces` to impose limit on size of heap-allocated
`text_piece` array.
groff now builds successfully using GCC with `-O2 -flto=auto` together.
---
ChangeLog | 6 ++++++
src/preproc/pic/object.cpp | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 5af286079..6b3531c00 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2026-06-24 G. Branden Robinson <[email protected]>
+
+ * src/preproc/pic/object.cpp (graphic_object::add_text): Add new
+ local constant `max_text_pieces` to impose limit on size of
+ heap-allocated `text_piece` array.
+
2026-06-24 G. Branden Robinson <[email protected]>
* src/preproc/pic/object.cpp (graphic_object::add_text): Convert
diff --git a/src/preproc/pic/object.cpp b/src/preproc/pic/object.cpp
index 8a65fc1cd..7e8102764 100644
--- a/src/preproc/pic/object.cpp
+++ b/src/preproc/pic/object.cpp
@@ -653,12 +653,18 @@ void graphic_object::add_text(text_item *t, int a)
{
aligned = a;
size_t len = 0;
+ const size_t max_text_pieces = 10000; // XXX: arbitrary limit
text_item *p;
for (p = t; p; p = p->next)
len++;
if (len == 0)
text = 0 /* nullptr */;
else {
+ // GCC's static analyzer is highly suspicious of our array
+ // allocation when building with `-O2` and `-flto=auto`.
+ if ((len == static_cast<size_t>(-1)) || (len > max_text_pieces))
+ fatal("too many text pieces (%1) in graphic object; limit %2",
+ len, max_text_pieces);
text = new text_piece[len];
size_t i = 0;
for (p = t; p != 0 /* nullptr */; p = p->next, i++) {
_______________________________________________
groff-commit mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/groff-commit