diff options
| author | Ingo Schwarze <schwarze@openbsd.org> | 2015-04-21 16:14:25 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2015-04-21 16:14:25 +0000 |
| commit | 748d0319758b319897e6839169f9b45e27d030da (patch) | |
| tree | ea8a059241e37de6227195456ad1f436e186e93a | |
| parent | 6939ed3cf1934623e887fc392bf4bb8126dfac6f (diff) | |
| download | mandoc-748d0319758b319897e6839169f9b45e27d030da.tar.gz | |
Avoid a use after free when the target node is deleted during validation.
Bug reported by jsg@.
| -rw-r--r-- | mdoc_macro.c | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/mdoc_macro.c b/mdoc_macro.c index f2c7d78e..05234250 100644 --- a/mdoc_macro.c +++ b/mdoc_macro.c @@ -291,18 +291,21 @@ rew_pending(struct roff_man *mdoc, const struct roff_node *n) for (;;) { rew_last(mdoc, n); - switch (n->type) { - case ROFFT_HEAD: - roff_body_alloc(mdoc, n->line, n->pos, n->tok); - return; - case ROFFT_BLOCK: - break; - default: - return; - } - - if ( ! (n->flags & MDOC_BROKEN)) - return; + if (mdoc->last == n) { + switch (n->type) { + case ROFFT_HEAD: + roff_body_alloc(mdoc, n->line, n->pos, + n->tok); + return; + case ROFFT_BLOCK: + break; + default: + return; + } + if ( ! (n->flags & MDOC_BROKEN)) + return; + } else + n = mdoc->last; for (;;) { if ((n = n->parent) == NULL) |