summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@openbsd.org>2015-02-07 16:42:33 +0000
committerIngo Schwarze <schwarze@openbsd.org>2015-02-07 16:42:33 +0000
commit1874040926dffdcbabb70003b9c49ea82d64a5b7 (patch)
tree7416e6a6afeecbb461a5bf86ccd9124faa078d40
parent8dd31926cbb3e1a61a3f9f2bbd75821f1a9d39eb (diff)
downloadmandoc-1874040926dffdcbabb70003b9c49ea82d64a5b7.tar.gz
Closing a block validates it, which may end up deleting it,
so if we are in a loop over blocks, cleanly restart the loop rather than risking use after free; found by jsg@ with afl.
-rw-r--r--mdoc_macro.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/mdoc_macro.c b/mdoc_macro.c
index 48f0cf92..63f39edc 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -941,6 +941,7 @@ blk_full(MACRO_PROT_ARGS)
mdoc_macronames[tok],
mdoc_macronames[n->tok]);
rew_pending(mdoc, n);
+ n = mdoc->last;
continue;
case MDOC_It:
/* Delay in case it's astray. */