diff options
| author | Ingo Schwarze <schwarze@openbsd.org> | 2017-02-11 14:11:17 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2017-02-11 14:11:17 +0000 |
| commit | 34dae0ac5bd5b247f20a8ae66eab5e03d13440db (patch) | |
| tree | 8b5cb5db20e178f930df9d37e9d9417bd6922754 /mdoc_macro.c | |
| parent | 26e005b2a5827b112b2ff97f47feb025eaaf6b3e (diff) | |
| download | mandoc-34dae0ac5bd5b247f20a8ae66eab5e03d13440db.tar.gz | |
Do not prematurely close .Nd containing a broken child.
Fixes tree corruption leading to NULL dereference
in insane cases like .Oo Oo .Nd .Pq Oc .Oc Oc
found by tb@ with afl(1).
Diffstat (limited to 'mdoc_macro.c')
| -rw-r--r-- | mdoc_macro.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/mdoc_macro.c b/mdoc_macro.c index 570e5698..23167fb4 100644 --- a/mdoc_macro.c +++ b/mdoc_macro.c @@ -647,10 +647,16 @@ blk_exp_close(MACRO_PROT_ARGS) break; } - /* Explicit blocks close out description lines. */ + /* + * Explicit blocks close out description lines, but + * even those can get broken together with a child. + */ if (n->tok == MDOC_Nd) { - rew_last(mdoc, n); + if (later != NULL) + n->flags |= NODE_BROKEN | NODE_ENDED; + else + rew_last(mdoc, n); continue; } |