summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@openbsd.org>2015-05-01 16:58:33 +0000
committerIngo Schwarze <schwarze@openbsd.org>2015-05-01 16:58:33 +0000
commit9ae0b6df47c6577bc5d637a71363e55c9feae504 (patch)
tree98c0b396904119b3205a3a65b938a1165179453b
parent14900fe7cc68ef746633548fdd98ddfc1085d664 (diff)
downloadmandoc-9ae0b6df47c6577bc5d637a71363e55c9feae504.tar.gz
mdoc_valid_post() may indirectly call roff_node_unlink() which may
set ROFF_NEXT_CHILD, which is desirable for the final call to mdoc_valid_post() - in case the target itself gets deleted, the parse point may need this adjustment - but not for the intermediate calls - if intermediate nodes get deleted, that mustn't clobber the parse point. So move setting ROFF_NEXT_SIBLING to the proper place in rew_last(). This fixes the assertion failure in jsg@'s afl test case 108/Apr27.
-rw-r--r--mdoc_macro.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/mdoc_macro.c b/mdoc_macro.c
index e8882db4..47493dd4 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -263,7 +263,6 @@ rew_last(struct roff_man *mdoc, const struct roff_node *to)
if (to->flags & MDOC_VALID)
return;
- mdoc->next = ROFF_NEXT_SIBLING;
while (mdoc->last != to) {
/*
* Save the parent here, because we may delete the
@@ -276,6 +275,7 @@ rew_last(struct roff_man *mdoc, const struct roff_node *to)
mdoc->last = np;
assert(mdoc->last);
}
+ mdoc->next = ROFF_NEXT_SIBLING;
mdoc_valid_post(mdoc);
}