Be more careful about meta->name. For weird input, it can be NULL.

Fixing a NULL access jsg@ found with afl.
author: Ingo Schwarze <schwarze@openbsd.org> 2014-11-28 16:02:52 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2014-11-28 16:02:52 +0000
commit: 0d85bf1b1bfc29a9c4d093a17b107eb043630da7 (patch)
tree: a788195670e48961697003b0371ec51b37aa8b1e
parent: b7ed451bab9b712963df52a4f4ea0783fa4941d7 (diff)
download: mandoc-0d85bf1b1bfc29a9c4d093a17b107eb043630da7.tar.gz
1 files changed, 10 insertions, 6 deletions
diff --git a/mdoc_term.c b/mdoc_term.c
index 60dd9f8e..4c11a3c3 100644
--- a/mdoc_term.c
+++ b/mdoc_term.c
@@ -995,6 +995,7 @@ termp_it_post(DECL_ARGS)
 static int
 termp_nm_pre(DECL_ARGS)
 {
+	const char	*cp;
 
 	if (MDOC_BLOCK == n->type) {
 		p->flags |= TERMP_PREKEEP;
@@ -1005,12 +1006,15 @@ termp_nm_pre(DECL_ARGS)
 		if (NULL == n->child)
 			return(0);
 		p->flags |= TERMP_NOSPACE;
-		p->offset += term_len(p, 1) +
-		    (NULL == n->prev->child ?
-		     term_strlen(p, meta->name) :
-		     MDOC_TEXT == n->prev->child->type ?
-		     term_strlen(p, n->prev->child->string) :
-		     term_len(p, 5));
+		cp = NULL;
+		if (n->prev->child != NULL)
+		    cp = n->prev->child->string;
+		if (cp == NULL)
+			cp = meta->name;
+		if (cp == NULL)
+			p->offset += term_len(p, 6);
+		else
+			p->offset += term_len(p, 1) + term_strlen(p, cp);
 		return(1);
 	}
author	Ingo Schwarze <schwarze@openbsd.org>	2014-11-28 16:02:52 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2014-11-28 16:02:52 +0000
commit	0d85bf1b1bfc29a9c4d093a17b107eb043630da7 (patch)
tree	a788195670e48961697003b0371ec51b37aa8b1e
parent	b7ed451bab9b712963df52a4f4ea0783fa4941d7 (diff)
download	mandoc-0d85bf1b1bfc29a9c4d093a17b107eb043630da7.tar.gz