diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2014-08-18 16:36:54 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-08-18 16:36:54 +0000 |
commit | 4720797aad300924396f0e81ac41b4aaf9863dea (patch) | |
tree | 4f0d74b35bb02e6a36119b4550de49b407ebce88 | |
parent | 9db097d0fa3580b6949e4da3455438f64cf21525 (diff) | |
download | mandoc-4720797aad300924396f0e81ac41b4aaf9863dea.tar.gz |
When the first child of the node being validated gets deleted during
validation, man_node_unlink() switches to MAN_NEXT_CHILD. After
that, we have to switch back to MAN_NEXT_SIBLING after completing
validation, or subsequent parsing would add content into an already
closed node, clobbering potentially existing children, causing
information loss and a memory leak. Bug found by kristaps@ with
valgrind in groff(7) on Mac OS X.
Note that the switch back must be conditional, for if the node being
validated itself gets deleted, we must *not* go to MAN_NEXT_SIBLING,
which would not only yield wrong results in general but also crash
in malformed manuals having an empty paragraph before the first .SH,
for example OpenBSD c++filt(1).
-rw-r--r-- | man_macro.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/man_macro.c b/man_macro.c index 8f12b894..7c2cc71a 100644 --- a/man_macro.c +++ b/man_macro.c @@ -100,7 +100,6 @@ man_unscope(struct man *man, const struct man_node *to) { struct man_node *n; - man->next = MAN_NEXT_SIBLING; to = to->parent; n = man->last; while (n != to) { @@ -139,11 +138,23 @@ man_unscope(struct man *man, const struct man_node *to) * Save a pointer to the parent such that * we know where to continue the iteration. */ + man->last = n; n = n->parent; if ( ! man_valid_post(man)) return(0); } + + /* + * If we ended up at the parent of the node we were + * supposed to rewind to, that means the target node + * got deleted, so add the next node we parse as a child + * of the parent instead of as a sibling of the target. + */ + + man->next = (man->last == to) ? + MAN_NEXT_CHILD : MAN_NEXT_SIBLING; + return(1); } |