summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@openbsd.org>2014-08-18 16:36:54 +0000
committerIngo Schwarze <schwarze@openbsd.org>2014-08-18 16:36:54 +0000
commit4720797aad300924396f0e81ac41b4aaf9863dea (patch)
tree4f0d74b35bb02e6a36119b4550de49b407ebce88
parent9db097d0fa3580b6949e4da3455438f64cf21525 (diff)
downloadmandoc-4720797aad300924396f0e81ac41b4aaf9863dea.tar.gz
When the first child of the node being validated gets deleted during
validation, man_node_unlink() switches to MAN_NEXT_CHILD. After that, we have to switch back to MAN_NEXT_SIBLING after completing validation, or subsequent parsing would add content into an already closed node, clobbering potentially existing children, causing information loss and a memory leak. Bug found by kristaps@ with valgrind in groff(7) on Mac OS X. Note that the switch back must be conditional, for if the node being validated itself gets deleted, we must *not* go to MAN_NEXT_SIBLING, which would not only yield wrong results in general but also crash in malformed manuals having an empty paragraph before the first .SH, for example OpenBSD c++filt(1).
-rw-r--r--man_macro.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/man_macro.c b/man_macro.c
index 8f12b894..7c2cc71a 100644
--- a/man_macro.c
+++ b/man_macro.c
@@ -100,7 +100,6 @@ man_unscope(struct man *man, const struct man_node *to)
{
struct man_node *n;
- man->next = MAN_NEXT_SIBLING;
to = to->parent;
n = man->last;
while (n != to) {
@@ -139,11 +138,23 @@ man_unscope(struct man *man, const struct man_node *to)
* Save a pointer to the parent such that
* we know where to continue the iteration.
*/
+
man->last = n;
n = n->parent;
if ( ! man_valid_post(man))
return(0);
}
+
+ /*
+ * If we ended up at the parent of the node we were
+ * supposed to rewind to, that means the target node
+ * got deleted, so add the next node we parse as a child
+ * of the parent instead of as a sibling of the target.
+ */
+
+ man->next = (man->last == to) ?
+ MAN_NEXT_CHILD : MAN_NEXT_SIBLING;
+
return(1);
}