Off-by-one out-of-bounds write

[WhatTheFuzz]

Hello. I picked up on what I believe to be an off-by-one out of bounds write onto the stack (at the address stored in word created in man_xx). It looks like parse_value continues writing to offset 256. The following is the backtrace when compiled with ASAN and clang. I tested it out on i386 and amd64 and got the same results. PR incoming.

After compiling with ASAN (add -fsanitize=address to CFLAGS), run the following. The failing input is attached.

./mantohtml ./bf8b7f1ea6034319a7c5db20070c4a49ce67e4d4298f69f0a10059b97b5f3c98 > /dev/null

The backtrace:

==1833932==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffbbc500 at pc 0x56644cb8 bp 0xffbbbea8 sp 0xffbbbea0
READ of size 1 at 0xffbbc500 thread T0
    #0 0x56644cb7 in man_puts /mantohtml/mantohtml.c:1207:10
    #1 0x5664510f in man_xx /mantohtml/mantohtml.c:1529:5
    #2 0x5663e60c in convert_man /mantohtml/mantohtml.c
    #3 0x5663e60c in main /mantohtml/mantohtml.c:212:7
    #4 0xf7b64518 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0xf7b645f2 in __libc_start_main csu/../csu/libc-start.c:392:3
    #6 0x5657e3ea in _start (/mantohtml/mantohtml+0x1b3ea) (BuildId: eb83c6e6d6e1090696a05552d04e8fd761dfe301)

Address 0xffbbc500 is located in stack of thread T0 at offset 288 in frame
    #0 0x56644f5f in man_xx /mantohtml/mantohtml.c:1518

  This frame has 2 object(s):
    [16, 20) 'line.addr'
    [32, 288) 'word' (line 1519) <== Memory access at offset 288 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /mantohtml/mantohtml.c:1207:10 in man_puts
Shadow bytes around the buggy address:
  0x3ff77850: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3
  0x3ff77860: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
  0x3ff77870: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 04 f2
  0x3ff77880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff77890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3ff778a0:[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x3ff778b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff778c0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f8 f8
  0x3ff778d0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x3ff778e0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x3ff778f0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1833932==ABORTING

bf8b7f1ea6034319a7c5db20070c4a49ce67e4d4298f69f0a10059b97b5f3c98.txt

[michaelrsweet]

[master c78203b] Fix buffer overrun bug in man_puts (Issue #1)