For child macros of block-end macros, only scan backwards for pending

breakers unless the parent of the block is already closed.  While
the scanning is needed in cases like ".Ac Bo" for broken Ao, it is
useless and crashy in cases like ".Ac Bc" for non-broken Ao.

This fixes a NULL pointer dereference that tb@ found with afl(1).

1 files changed, 7 insertions, 6 deletions

diff --git a/mdoc_macro.c b/mdoc_macro.c
index 30323293..2b5cb419 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -398,9 +398,9 @@ find_pending(struct roff_man *mdoc, int tok, int line, int ppos,
 		if (n->type == ROFFT_BLOCK &&
 		    mdoc_macros[n->tok].flags & MDOC_EXPLICIT) {
 			irc = 1;
-			n->flags = NODE_BROKEN;
+			n->flags |= NODE_BROKEN;
 			if (target->type == ROFFT_HEAD)
-				target->flags = NODE_ENDED;
+				target->flags |= NODE_ENDED;
 			else if ( ! (target->flags & NODE_ENDED)) {
 				mandoc_vmsg(MANDOCERR_BLK_NEST,
 				    mdoc->parse, line, ppos,
@@ -714,15 +714,16 @@ blk_exp_close(MACRO_PROT_ARGS)
 	}
 
 	if (n != NULL) {
+		pending = 0;
 		if (ntok != TOKEN_NONE && n->flags & NODE_BROKEN) {
 			target = n;
 			do
 				target = target->parent;
 			while ( ! (target->flags & NODE_ENDED));
-			pending = find_pending(mdoc, ntok, line, ppos,
-			    target);
-		} else
-			pending = 0;
+			if ( ! (target->flags & NODE_VALID))
+				pending = find_pending(mdoc, ntok,
+				    line, ppos, target);
+		}
 		if ( ! pending)
 			rew_pending(mdoc, n);
 	}