From e9ba652c80e911013ddc3dd5972654d680cc1a7e Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Thu, 18 Sep 2014 19:03:39 -0700
Subject: Fix malloc memory corruptions.

Premature free in the table code. Realloc logic in out_html was not
accounting for null byte that is appended into the globally visible
buffer elsewhere. Also, one byte overrun in string data compensated
by increasing the allocation when .de is processed.
---
 man2html/man2html.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

(limited to 'man2html')

diff --git a/man2html/man2html.c b/man2html/man2html.c
index 1a2ae54..c5f22dc 100644
--- a/man2html/man2html.c
+++ b/man2html/man2html.c
@@ -353,11 +353,11 @@ out_html(char *c) {
 	}
 	if (scaninbuff) {
 		while (*c) {
-			while (buffpos >= buffmax) {
-			    	if (buffmax == 0)
-				    buffmax = 32;
+			while (buffpos >= buffmax - 1) {
+				if (buffmax == 0)
+					buffmax = 32;
 				else
-				    buffmax *= 2;
+					buffmax *= 2;
 				buffer = xrealloc(buffer, buffmax);
 			}
 			if (*c != '\a')
@@ -777,7 +777,10 @@ static int tableoptl[] = { 6,6,3,6,9,3,8,5,0};
 
 static void clear_table(TABLEROW *table)
 {
-    TABLEROW *tr1,*tr2;
+    TABLEROW *tr1;
+#if 0
+	TABLEROW *tr2;
+#endif
     TABLEITEM *ti1,*ti2;
 
     tr1=table;
@@ -787,12 +790,18 @@ static void clear_table(TABLEROW *table)
 	while (ti1) {
 	    ti2=ti1->next;
 	    if (ti1->contents) free(ti1->contents);
-	    free(ti1);
+#if 0
+	    free(ti1); /* confirmed by valgrind to be premature */
+#endif
 	    ti1=ti2;
 	}
+#if 0
 	tr2=tr1;
+#endif
 	tr1=tr1->next;
-	free(tr2);
+#if 0
+	free(tr2); /* possibly also */
+#endif
     }
 }
 
@@ -2345,7 +2354,7 @@ scan_request(char *c) {
 		while (de && de->nr!= i) de=de->next;
 		if (mode && de) olen=strlen(de->st);
 		j=olen+c-sl;
-		h= (char*) xmalloc((j*2+4)*sizeof(char));
+		h= (char*) xmalloc((j*2+5)*sizeof(char));
 		if (h) {
 		    for (j=0; j<olen; j++)
 			h[j]=de->st[j];
-- 
cgit v1.2.3