Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/5/84; site polyof.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!think!harvard!cmcl2!philabs!ron1!polyof!john
From: john@polyof.UUCP ( John Buck )
Newsgroups: net.bugs
Subject: nroff overprint bug
Message-ID: <185@polyof.UUCP>
Date: Wed, 25-Dec-85 18:39:24 EST
Article-I.D.: polyof.185
Posted: Wed Dec 25 18:39:24 1985
Date-Received: Sat, 28-Dec-85 01:47:33 EST
Distribution: net
Organization: Polytechnic Inst. of NY, Farmingdale
Lines: 37


The in line overstriking function of n/troff is broken.  This bug exists
in all version of *roff that I looked at (including DWB ditroff).  Bug
follows:
here is a big overprint: \o'abcdefghijklmnopqrstuvwxyz123356798'

The bug was found cause someone made a mistake and forgot to put
the closing delimiter on the \o command, and it caused lots of
overstrikes (to the end of line actually).

The bug is that the overstrike buffer is declared to be 10 long or some such,
and a test IS made so that if you ask for more than 10 overprints, it
breaks out of its loop.  It then takes the liberty of doing:
	while(n < NOVR){
		blah[n] = getc();
		blah1[n] = size(c);
		n++;
	}
	blah[n] = 0;
	blah1[n] = 0;

The arrays blah[] and blah1[] are declared as such:
	char blah[NOVR], blah1[NOVR];

	Needless to say, setting the element beyond the end of blah[] and/or
	blah1[] often has unexpected results.  In this case, a core dump
	since it creamed a return address on the stack.

	Bug is in n9.c, look for /^setov/  THe bug is obvious.

John Buck
Polytechnic Inst. of NY
Route 110
Farmingdale, NY 11735
decvax!mcnc!philabs!ron1!polyof!john
	|
	+--!rti-sel!john