===================================================================
RCS file: /cvs/mandoc/roff.c,v
retrieving revision 1.243
retrieving revision 1.245
diff -u -p -r1.243 -r1.245
--- mandoc/roff.c	2014/12/16 23:44:41	1.243
+++ mandoc/roff.c	2014/12/25 17:23:32	1.245
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.243 2014/12/16 23:44:41 schwarze Exp $ */
+/*	$Id: roff.c,v 1.245 2014/12/25 17:23:32 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -21,6 +21,7 @@
 
 #include <assert.h>
 #include <ctype.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -658,6 +659,12 @@ roff_res(struct roff *r, struct buf *buf, int ln, int 
 		buf->sz = mandoc_asprintf(&nbuf, "%s%s%s",
 		    buf->buf, res, cp) + 1;
 
+		if (buf->sz > SHRT_MAX) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(stesc - buf->buf), NULL);
+			return(ROFF_IGN);
+		}
+
 		/* Prepare for the next replacement. */
 
 		start = nbuf + pos;
@@ -1576,7 +1583,7 @@ roff_evalnum(struct roff *r, int ln, const char *v,
 			*res *= operand2;
 			break;
 		case '/':
-			if (0 == operand2) {
+			if (operand2 == 0) {
 				mandoc_msg(MANDOCERR_DIVZERO,
 					r->parse, ln, *pos, v);
 				*res = 0;
@@ -1585,6 +1592,12 @@ roff_evalnum(struct roff *r, int ln, const char *v,
 			*res /= operand2;
 			break;
 		case '%':
+			if (operand2 == 0) {
+				mandoc_msg(MANDOCERR_DIVZERO,
+					r->parse, ln, *pos, v);
+				*res = 0;
+				break;
+			}
 			*res %= operand2;
 			break;
 		case '<':