===================================================================
RCS file: /cvs/mandoc/roff.c,v
retrieving revision 1.167
retrieving revision 1.171
diff -u -p -r1.167 -r1.171
--- mandoc/roff.c	2011/07/29 10:16:59	1.167
+++ mandoc/roff.c	2011/09/19 08:34:45	1.171
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.167 2011/07/29 10:16:59 kristaps Exp $ */
+/*	$Id: roff.c,v 1.171 2011/09/19 08:34:45 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2011 Ingo Schwarze <schwarze@openbsd.org>
@@ -31,6 +31,9 @@
 /* Maximum number of nested if-else conditionals. */
 #define	RSTACK_MAX	128
 
+/* Maximum number of string expansions per line, to break infinite loops. */
+#define	EXPAND_LIMIT	1000
+
 enum	rofft {
 	ROFF_ad,
 	ROFF_am,
@@ -179,7 +182,7 @@ static	const char	*roff_getstrn(const struct roff *, 
 				const char *, size_t);
 static	enum rofferr	 roff_line_ignore(ROFF_ARGS);
 static	enum rofferr	 roff_nr(ROFF_ARGS);
-static	void		 roff_openeqn(struct roff *, const char *, 
+static	void		 roff_openeqn(struct roff *, const char *,
 				int, int, const char *);
 static	enum rofft	 roff_parse(struct roff *, const char *, int *);
 static	enum rofferr	 roff_parsetext(char *);
@@ -437,10 +440,12 @@ roff_res(struct roff *r, char **bufp, size_t *szp, int
 	const char	*stnam;	/* start of the name, after "[(*" */
 	const char	*cp;	/* end of the name, e.g. before ']' */
 	const char	*res;	/* the string to be substituted */
-	int		 i, maxl;
+	int		 i, maxl, expand_count;
 	size_t		 nsz;
 	char		*n;
 
+	expand_count = 0;
+
 again:
 	cp = *bufp + pos;
 	while (NULL != (cp = strchr(cp, '\\'))) {
@@ -535,7 +540,13 @@ again:
 
 		*bufp = n;
 		*szp = nsz;
-		goto again;
+
+		if (EXPAND_LIMIT >= ++expand_count)
+			goto again;
+
+		/* Just leave the string unexpanded. */
+		mandoc_msg(MANDOCERR_ROFFLOOP, r->parse, ln, pos, NULL);
+		return;
 	}
 }
 
@@ -545,7 +556,6 @@ again:
 static enum rofferr
 roff_parsetext(char *p)
 {
-	char		 l, r;
 	size_t		 sz;
 	const char	*start;
 	enum mandoc_esc	 esc;
@@ -572,14 +582,8 @@ roff_parsetext(char *p)
 			continue;
 		}
 
-		l = *(p - 1);
-		r = *(p + 1);
-		if ('\\' != l &&
-				'\t' != r && '\t' != l &&
-				' ' != r && ' ' != l &&
-				'-' != r && '-' != l &&
-				! isdigit((unsigned char)l) &&
-				! isdigit((unsigned char)r))
+		if (isalpha((unsigned char)p[-1]) &&
+		    isalpha((unsigned char)p[1]))
 			*p = ASCII_HYPH;
 		p++;
 	}
@@ -1665,13 +1669,6 @@ roff_eqn(const struct roff *r)
 {
 	
 	return(r->last_eqn ? &r->last_eqn->eqn : NULL);
-}
-
-char
-roff_eqndelim(const struct roff *r)
-{
-
-	return('\0');
 }
 
 /*