When the last line of a table layout turns out to be empty, it is deleted.

Do not just free the struct tbl_row but also make sure that no pointer to it remains. Fixing a use after free found by jsg@ with afl.
author: Ingo Schwarze <schwarze@openbsd.org> 2015-04-29 12:44:58 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2015-04-29 12:44:58 +0000
commit: f7b136b7e6f8f82ddfee731bb4f5519e3c57b2fb (patch)
tree: aa5271fd2dab10489d806f20569a7caf0c4823db
parent: eceb0fa8869e9bc9a64e70df2a3ab07cf932de48 (diff)
download: mandoc-f7b136b7e6f8f82ddfee731bb4f5519e3c57b2fb.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/tbl_layout.c b/tbl_layout.c
index 48a654cc..1bfcee1b 100644
--- a/tbl_layout.c
+++ b/tbl_layout.c
@@ -308,6 +308,7 @@ tbl_layout(struct tbl_node *tbl, int ln, const char *p, int pos)
 				    rp->next->first == NULL) {
 					free(rp->next);
 					rp->next = NULL;
+					tbl->last_row = rp;
 				}
 			}
 			return;
author	Ingo Schwarze <schwarze@openbsd.org>	2015-04-29 12:44:58 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2015-04-29 12:44:58 +0000
commit	f7b136b7e6f8f82ddfee731bb4f5519e3c57b2fb (patch)
tree	aa5271fd2dab10489d806f20569a7caf0c4823db
parent	eceb0fa8869e9bc9a64e70df2a3ab07cf932de48 (diff)
download	mandoc-f7b136b7e6f8f82ddfee731bb4f5519e3c57b2fb.tar.gz