===================================================================
RCS file: /cvs/mandoc/roff.c,v
retrieving revision 1.244
retrieving revision 1.246
diff -u -p -r1.244 -r1.246
--- mandoc/roff.c	2014/12/18 17:43:41	1.244
+++ mandoc/roff.c	2014/12/28 14:16:26	1.246
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.244 2014/12/18 17:43:41 schwarze Exp $ */
+/*	$Id: roff.c,v 1.246 2014/12/28 14:16:26 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -21,6 +21,7 @@
 
 #include <assert.h>
 #include <ctype.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -650,6 +651,10 @@ roff_res(struct roff *r, struct buf *buf, int ln, int 
 			    r->parse, ln, (int)(stesc - buf->buf),
 			    "%.*s", (int)naml, stnam);
 			res = "";
+		} else if (buf->sz + strlen(res) > SHRT_MAX) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(stesc - buf->buf), NULL);
+			return(ROFF_IGN);
 		}
 
 		/* Replace the escape sequence by the string. */