diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2017-02-11 14:11:17 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2017-02-11 14:11:17 +0000 |
commit | 34dae0ac5bd5b247f20a8ae66eab5e03d13440db (patch) | |
tree | 8b5cb5db20e178f930df9d37e9d9417bd6922754 | |
parent | 26e005b2a5827b112b2ff97f47feb025eaaf6b3e (diff) | |
download | mandoc-34dae0ac5bd5b247f20a8ae66eab5e03d13440db.tar.gz |
Do not prematurely close .Nd containing a broken child.
Fixes tree corruption leading to NULL dereference
in insane cases like .Oo Oo .Nd .Pq Oc .Oc Oc
found by tb@ with afl(1).
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | mdoc_macro.c | 10 |
2 files changed, 11 insertions, 3 deletions
@@ -53,8 +53,10 @@ Changes in version 1.14.1, released on February XXX, 2017 * mdoc(7): Fix syntax tree corruption leading to NULL dereference caused by .Ta following a nested .Bl -column breaking another block. * mdoc(7): Fix syntax tree corruption sometimes leading to NULL - dereference caused by indirectly broken .Nm blocks in the SYNOPSIS. + dereference caused by indirectly broken .Nd or .Nm blocks. * mdoc(7) -Thtml: Fix a NULL dereference for .Bl -column with 0 columns. + * mdoc(7): Fix NULL dereference in some specific cases of a + block-end macro calling another block-end macro. * mdoc(7): Fix NULL dereference if the only child of the head of the first .Sh was an empty in-line macro. * mdoc(7): Fix an assertion failure for a .Bd without a type that diff --git a/mdoc_macro.c b/mdoc_macro.c index 570e5698..23167fb4 100644 --- a/mdoc_macro.c +++ b/mdoc_macro.c @@ -647,10 +647,16 @@ blk_exp_close(MACRO_PROT_ARGS) break; } - /* Explicit blocks close out description lines. */ + /* + * Explicit blocks close out description lines, but + * even those can get broken together with a child. + */ if (n->tok == MDOC_Nd) { - rew_last(mdoc, n); + if (later != NULL) + n->flags |= NODE_BROKEN | NODE_ENDED; + else + rew_last(mdoc, n); continue; } |