Fix malloc memory corruptions.

Premature free in the table code. Realloc logic in out_html was not
accounting for null byte that is appended into the globally visible
buffer elsewhere. Also, one byte overrun in string data compensated
by increasing the allocation when .de is processed.

1 files changed, 17 insertions, 8 deletions

diff --git a/man2html/man2html.c b/man2html/man2html.c
index 1a2ae54..c5f22dc 100644
--- a/man2html/man2html.c
+++ b/man2html/man2html.c
@@ -353,11 +353,11 @@ out_html(char *c) {
 	}
 	if (scaninbuff) {
 		while (*c) {
-			while (buffpos >= buffmax) {
-			    	if (buffmax == 0)
-				    buffmax = 32;
+			while (buffpos >= buffmax - 1) {
+				if (buffmax == 0)
+					buffmax = 32;
 				else
-				    buffmax *= 2;
+					buffmax *= 2;
 				buffer = xrealloc(buffer, buffmax);
 			}
 			if (*c != '\a')
@@ -777,7 +777,10 @@ static int tableoptl[] = { 6,6,3,6,9,3,8,5,0};
 
 static void clear_table(TABLEROW *table)
 {
-    TABLEROW *tr1,*tr2;
+    TABLEROW *tr1;
+#if 0
+	TABLEROW *tr2;
+#endif
     TABLEITEM *ti1,*ti2;
 
     tr1=table;
@@ -787,12 +790,18 @@ static void clear_table(TABLEROW *table)
 	while (ti1) {
 	    ti2=ti1->next;
 	    if (ti1->contents) free(ti1->contents);
-	    free(ti1);
+#if 0
+	    free(ti1); /* confirmed by valgrind to be premature */
+#endif
 	    ti1=ti2;
 	}
+#if 0
 	tr2=tr1;
+#endif
 	tr1=tr1->next;
-	free(tr2);
+#if 0
+	free(tr2); /* possibly also */
+#endif
     }
 }
 
@@ -2345,7 +2354,7 @@ scan_request(char *c) {
 		while (de && de->nr!= i) de=de->next;
 		if (mode && de) olen=strlen(de->st);
 		j=olen+c-sl;
-		h= (char*) xmalloc((j*2+4)*sizeof(char));
+		h= (char*) xmalloc((j*2+5)*sizeof(char));
 		if (h) {
 		    for (j=0; j<olen; j++)
 			h[j]=de->st[j];