===================================================================
RCS file: /cvs/mandoc/roff.c,v
retrieving revision 1.240
retrieving revision 1.246
diff -u -p -r1.240 -r1.246
--- mandoc/roff.c	2014/12/15 23:43:26	1.240
+++ mandoc/roff.c	2014/12/28 14:16:26	1.246
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.240 2014/12/15 23:43:26 schwarze Exp $ */
+/*	$Id: roff.c,v 1.246 2014/12/28 14:16:26 schwarze Exp $ */
 /*
  * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -21,6 +21,7 @@
 
 #include <assert.h>
 #include <ctype.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -650,6 +651,10 @@ roff_res(struct roff *r, struct buf *buf, int ln, int 
 			    r->parse, ln, (int)(stesc - buf->buf),
 			    "%.*s", (int)naml, stnam);
 			res = "";
+		} else if (buf->sz + strlen(res) > SHRT_MAX) {
+			mandoc_msg(MANDOCERR_ROFFLOOP, r->parse,
+			    ln, (int)(stesc - buf->buf), NULL);
+			return(ROFF_IGN);
 		}
 
 		/* Replace the escape sequence by the string. */
@@ -730,6 +735,7 @@ roff_parseln(struct roff *r, int ln, struct buf *buf, 
 	enum rofft	 t;
 	enum rofferr	 e;
 	int		 pos;	/* parse point */
+	int		 spos;	/* saved parse point for messages */
 	int		 ppos;	/* original offset in buf->buf */
 	int		 ctl;	/* macro line (boolean) */
 
@@ -800,15 +806,29 @@ roff_parseln(struct roff *r, int ln, struct buf *buf, 
 		return((*roffs[t].sub)(r, t, buf, ln, ppos, pos, offs));
 	}
 
+	/* No scope is open.  This is a new request or macro. */
+
+	spos = pos;
+	t = roff_parse(r, buf->buf, &pos, ln, ppos);
+
+	/* Tables ignore most macros. */
+
+	if (r->tbl != NULL && (t == ROFF_MAX || t == ROFF_TS)) {
+		mandoc_msg(MANDOCERR_TBLMACRO, r->parse,
+		    ln, pos, buf->buf + spos);
+		return(ROFF_IGN);
+	}
+
 	/*
-	 * Lastly, as we've no scope open, try to look up and execute
-	 * the new macro.  If no macro is found, simply return and let
-	 * the compilers handle it.
+	 * This is neither a roff request nor a user-defined macro.
+	 * Let the standard macro set parsers handle it.
 	 */
 
-	if ((t = roff_parse(r, buf->buf, &pos, ln, ppos)) == ROFF_MAX)
+	if (t == ROFF_MAX)
 		return(ROFF_CONT);
 
+	/* Execute a roff request or a user defined macro. */
+
 	assert(roffs[t].proc);
 	return((*roffs[t].proc)(r, t, buf, ln, ppos, pos, offs));
 }
@@ -1236,7 +1256,7 @@ roff_evalstrcond(const char *v, int *pos)
 out:
 	if (NULL == s3)
 		s3 = strchr(s2, '\0');
-	else
+	else if (*s3 != '\0')
 		s3++;
 	*pos = s3 - v;
 	return(match);
@@ -1249,7 +1269,7 @@ out:
 static int
 roff_evalcond(struct roff *r, int ln, const char *v, int *pos)
 {
-	int	 wanttrue, number;
+	int	 number, savepos, wanttrue;
 
 	if ('!' == v[*pos]) {
 		wanttrue = 0;
@@ -1282,10 +1302,13 @@ roff_evalcond(struct roff *r, int ln, const char *v, i
 		break;
 	}
 
+	savepos = *pos;
 	if (roff_evalnum(r, ln, v, pos, &number, 0))
 		return((number > 0) == wanttrue);
-	else
+	else if (*pos == savepos)
 		return(roff_evalstrcond(v, pos) == wanttrue);
+	else
+		return (0);
 }
 
 static enum rofferr
@@ -1558,7 +1581,7 @@ roff_evalnum(struct roff *r, int ln, const char *v,
 			*res *= operand2;
 			break;
 		case '/':
-			if (0 == operand2) {
+			if (operand2 == 0) {
 				mandoc_msg(MANDOCERR_DIVZERO,
 					r->parse, ln, *pos, v);
 				*res = 0;
@@ -1567,6 +1590,12 @@ roff_evalnum(struct roff *r, int ln, const char *v,
 			*res /= operand2;
 			break;
 		case '%':
+			if (operand2 == 0) {
+				mandoc_msg(MANDOCERR_DIVZERO,
+					r->parse, ln, *pos, v);
+				*res = 0;
+				break;
+			}
 			*res %= operand2;
 			break;
 		case '<':