diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2015-02-10 17:47:45 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2015-02-10 17:47:45 +0000 |
commit | f3138b20a341b989240218c6f5d74bbef7fae89e (patch) | |
tree | 06e80a15d365206f98a261823a0eb4a56c9f4490 | |
parent | cb3e90e0e6db40508a63959069161c053a32fa5f (diff) | |
download | mandoc-f3138b20a341b989240218c6f5d74bbef7fae89e.tar.gz |
Be more careful to not generate empty .In, .St, and .Xr nodes.
That could happen when their first argument was another called macro,
causing a NULL pointer access in .St validation found by jsg@ with afl.
Make in_line_argn() easier to understand by using one state
variable rather than two.
-rw-r--r-- | mdoc_macro.c | 76 |
1 files changed, 43 insertions, 33 deletions
diff --git a/mdoc_macro.c b/mdoc_macro.c index 63f39edc..93a9adcf 100644 --- a/mdoc_macro.c +++ b/mdoc_macro.c @@ -1285,11 +1285,12 @@ blk_part_exp(MACRO_PROT_ARGS) static void in_line_argn(MACRO_PROT_ARGS) { - int la, flushed, j, maxargs, nl; - enum margserr ac; struct mdoc_arg *arg; char *p; + enum margserr ac; enum mdoct ntok; + int state; /* arg#; -1: not yet open; -2: closed */ + int la, maxargs, nl; nl = mdoc->flags & MDOC_NEWLINE; @@ -1323,67 +1324,76 @@ in_line_argn(MACRO_PROT_ARGS) mdoc_argv(mdoc, line, tok, &arg, pos, buf); + state = -1; p = NULL; - flushed = j = 0; for (;;) { la = *pos; ac = mdoc_args(mdoc, line, pos, buf, tok, &p); + + if (ac == ARGS_WORD && state == -1 && + ! (mdoc_macros[tok].flags & MDOC_IGNDELIM) && + mdoc_isdelim(p) == DELIM_OPEN) { + dword(mdoc, line, la, p, DELIM_OPEN, 0); + continue; + } + + if (state == -1 && tok != MDOC_In && + tok != MDOC_St && tok != MDOC_Xr) { + mdoc_elem_alloc(mdoc, line, ppos, tok, arg); + state = 0; + } + if (ac == ARGS_PUNCT || ac == ARGS_EOLN) { - if (j < 2 && tok == MDOC_Pf) + if (abs(state) < 2 && tok == MDOC_Pf) mandoc_vmsg(MANDOCERR_PF_SKIP, mdoc->parse, line, ppos, "Pf %s", p == NULL ? "at eol" : p); break; } - if ( ! (mdoc_macros[tok].flags & MDOC_IGNDELIM) && - ac != ARGS_QWORD && j == 0 && - mdoc_isdelim(p) == DELIM_OPEN) { - dword(mdoc, line, la, p, DELIM_OPEN, 0); - continue; - } else if (j == 0) - mdoc_elem_alloc(mdoc, line, ppos, tok, arg); - - if (j == maxargs && ! flushed) { + if (state == maxargs) { rew_elem(mdoc, tok); - flushed = 1; + state = -2; } - ntok = (ac == ARGS_QWORD || (tok == MDOC_Pf && j == 0)) ? + ntok = (ac == ARGS_QWORD || (tok == MDOC_Pf && state == 0)) ? MDOC_MAX : lookup(mdoc, tok, line, la, p); if (ntok != MDOC_MAX) { - if ( ! flushed) + if (state >= 0) { rew_elem(mdoc, tok); - flushed = 1; + state = -2; + } mdoc_macro(mdoc, ntok, line, la, pos, buf); - j++; break; } - if ( ! (mdoc_macros[tok].flags & MDOC_IGNDELIM) && - ac != ARGS_QWORD && ! flushed && - mdoc_isdelim(p) != DELIM_NONE) { + if (ac == ARGS_QWORD || + mdoc_macros[tok].flags & MDOC_IGNDELIM || + mdoc_isdelim(p) == DELIM_NONE) { + if (state == -1) { + mdoc_elem_alloc(mdoc, line, ppos, tok, arg); + state = 1; + } else if (state >= 0) + state++; + } else if (state >= 0) { rew_elem(mdoc, tok); - flushed = 1; + state = -2; } dword(mdoc, line, la, p, DELIM_MAX, MDOC_JOIN & mdoc_macros[tok].flags); - j++; } - if (j == 0) { - if (tok == MDOC_In || tok == MDOC_St || tok == MDOC_Xr) { - mandoc_msg(MANDOCERR_MACRO_EMPTY, mdoc->parse, - line, ppos, mdoc_macronames[tok]); - return; - } - mdoc_elem_alloc(mdoc, line, ppos, tok, arg); - if (ac == ARGS_PUNCT && tok == MDOC_Pf) - append_delims(mdoc, line, pos, buf); + if (state == -1) { + mandoc_msg(MANDOCERR_MACRO_EMPTY, mdoc->parse, + line, ppos, mdoc_macronames[tok]); + return; } - if ( ! flushed) + + if (state == 0 && tok == MDOC_Pf) + append_delims(mdoc, line, pos, buf); + if (state >= 0) rew_elem(mdoc, tok); if (nl) append_delims(mdoc, line, pos, buf); |