===================================================================
RCS file: /cvs/mandoc/roff.c,v
retrieving revision 1.245
retrieving revision 1.247
diff -u -p -r1.245 -r1.247
--- mandoc/roff.c	2014/12/25 17:23:32	1.245
+++ mandoc/roff.c	2015/01/01 19:28:49	1.247
@@ -1,7 +1,7 @@
-/*	$Id: roff.c,v 1.245 2014/12/25 17:23:32 schwarze Exp $ */
+/*	$Id: roff.c,v 1.247 2015/01/01 19:28:49 schwarze Exp $ */
 /*
- * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2010, 2011, 2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
+ * Copyright (c) 2010-2015 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -651,6 +651,10 @@ roff_res(struct roff *r, struct buf *buf, int ln, int 
 			    r->parse, ln, (int)(stesc - buf->buf),
 			    "%.*s", (int)naml, stnam);
 			res = "";
+		} else if (buf->sz + strlen(res) > SHRT_MAX) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(stesc - buf->buf), NULL);
+			return(ROFF_IGN);
 		}
 
 		/* Replace the escape sequence by the string. */
@@ -659,12 +663,6 @@ roff_res(struct roff *r, struct buf *buf, int ln, int 
 		buf->sz = mandoc_asprintf(&nbuf, "%s%s%s",
 		    buf->buf, res, cp) + 1;
 
-		if (buf->sz > SHRT_MAX) {
-			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
-			    ln, (int)(stesc - buf->buf), NULL);
-			return(ROFF_IGN);
-		}
-
 		/* Prepare for the next replacement. */
 
 		start = nbuf + pos;
@@ -1165,7 +1163,8 @@ roff_cond_sub(ROFF_ARGS)
 			*ep = '&';
 			roff_ccond(r, ln, ep - buf->buf - 1);
 		}
-		++ep;
+		if (*ep != '\0')
+			++ep;
 	}
 	return(rr ? ROFF_CONT : ROFF_IGN);
 }
@@ -1185,7 +1184,8 @@ roff_cond_text(ROFF_ARGS)
 			*ep = '&';
 			roff_ccond(r, ln, ep - buf->buf - 1);
 		}
-		++ep;
+		if (*ep != '\0')
+			++ep;
 	}
 	return(rr ? ROFF_CONT : ROFF_IGN);
 }