summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@openbsd.org>2015-02-10 17:47:45 +0000
committerIngo Schwarze <schwarze@openbsd.org>2015-02-10 17:47:45 +0000
commitf3138b20a341b989240218c6f5d74bbef7fae89e (patch)
tree06e80a15d365206f98a261823a0eb4a56c9f4490
parentcb3e90e0e6db40508a63959069161c053a32fa5f (diff)
downloadmandoc-f3138b20a341b989240218c6f5d74bbef7fae89e.tar.gz
Be more careful to not generate empty .In, .St, and .Xr nodes.
That could happen when their first argument was another called macro, causing a NULL pointer access in .St validation found by jsg@ with afl. Make in_line_argn() easier to understand by using one state variable rather than two.
-rw-r--r--mdoc_macro.c76
1 files changed, 43 insertions, 33 deletions
diff --git a/mdoc_macro.c b/mdoc_macro.c
index 63f39edc..93a9adcf 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -1285,11 +1285,12 @@ blk_part_exp(MACRO_PROT_ARGS)
static void
in_line_argn(MACRO_PROT_ARGS)
{
- int la, flushed, j, maxargs, nl;
- enum margserr ac;
struct mdoc_arg *arg;
char *p;
+ enum margserr ac;
enum mdoct ntok;
+ int state; /* arg#; -1: not yet open; -2: closed */
+ int la, maxargs, nl;
nl = mdoc->flags & MDOC_NEWLINE;
@@ -1323,67 +1324,76 @@ in_line_argn(MACRO_PROT_ARGS)
mdoc_argv(mdoc, line, tok, &arg, pos, buf);
+ state = -1;
p = NULL;
- flushed = j = 0;
for (;;) {
la = *pos;
ac = mdoc_args(mdoc, line, pos, buf, tok, &p);
+
+ if (ac == ARGS_WORD && state == -1 &&
+ ! (mdoc_macros[tok].flags & MDOC_IGNDELIM) &&
+ mdoc_isdelim(p) == DELIM_OPEN) {
+ dword(mdoc, line, la, p, DELIM_OPEN, 0);
+ continue;
+ }
+
+ if (state == -1 && tok != MDOC_In &&
+ tok != MDOC_St && tok != MDOC_Xr) {
+ mdoc_elem_alloc(mdoc, line, ppos, tok, arg);
+ state = 0;
+ }
+
if (ac == ARGS_PUNCT || ac == ARGS_EOLN) {
- if (j < 2 && tok == MDOC_Pf)
+ if (abs(state) < 2 && tok == MDOC_Pf)
mandoc_vmsg(MANDOCERR_PF_SKIP,
mdoc->parse, line, ppos, "Pf %s",
p == NULL ? "at eol" : p);
break;
}
- if ( ! (mdoc_macros[tok].flags & MDOC_IGNDELIM) &&
- ac != ARGS_QWORD && j == 0 &&
- mdoc_isdelim(p) == DELIM_OPEN) {
- dword(mdoc, line, la, p, DELIM_OPEN, 0);
- continue;
- } else if (j == 0)
- mdoc_elem_alloc(mdoc, line, ppos, tok, arg);
-
- if (j == maxargs && ! flushed) {
+ if (state == maxargs) {
rew_elem(mdoc, tok);
- flushed = 1;
+ state = -2;
}
- ntok = (ac == ARGS_QWORD || (tok == MDOC_Pf && j == 0)) ?
+ ntok = (ac == ARGS_QWORD || (tok == MDOC_Pf && state == 0)) ?
MDOC_MAX : lookup(mdoc, tok, line, la, p);
if (ntok != MDOC_MAX) {
- if ( ! flushed)
+ if (state >= 0) {
rew_elem(mdoc, tok);
- flushed = 1;
+ state = -2;
+ }
mdoc_macro(mdoc, ntok, line, la, pos, buf);
- j++;
break;
}
- if ( ! (mdoc_macros[tok].flags & MDOC_IGNDELIM) &&
- ac != ARGS_QWORD && ! flushed &&
- mdoc_isdelim(p) != DELIM_NONE) {
+ if (ac == ARGS_QWORD ||
+ mdoc_macros[tok].flags & MDOC_IGNDELIM ||
+ mdoc_isdelim(p) == DELIM_NONE) {
+ if (state == -1) {
+ mdoc_elem_alloc(mdoc, line, ppos, tok, arg);
+ state = 1;
+ } else if (state >= 0)
+ state++;
+ } else if (state >= 0) {
rew_elem(mdoc, tok);
- flushed = 1;
+ state = -2;
}
dword(mdoc, line, la, p, DELIM_MAX,
MDOC_JOIN & mdoc_macros[tok].flags);
- j++;
}
- if (j == 0) {
- if (tok == MDOC_In || tok == MDOC_St || tok == MDOC_Xr) {
- mandoc_msg(MANDOCERR_MACRO_EMPTY, mdoc->parse,
- line, ppos, mdoc_macronames[tok]);
- return;
- }
- mdoc_elem_alloc(mdoc, line, ppos, tok, arg);
- if (ac == ARGS_PUNCT && tok == MDOC_Pf)
- append_delims(mdoc, line, pos, buf);
+ if (state == -1) {
+ mandoc_msg(MANDOCERR_MACRO_EMPTY, mdoc->parse,
+ line, ppos, mdoc_macronames[tok]);
+ return;
}
- if ( ! flushed)
+
+ if (state == 0 && tok == MDOC_Pf)
+ append_delims(mdoc, line, pos, buf);
+ if (state >= 0)
rew_elem(mdoc, tok);
if (nl)
append_delims(mdoc, line, pos, buf);