From 49764a9c2f5aba1295cfa9bbd4749c62b4acade9 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Mon, 22 Dec 2014 23:27:32 +0000
Subject: The code already pays attention not to close the same block twice.
 Similarly, avoid having the same block break two other blocks. In some
 situations, this could lead to an endless loop in rew_sub() found by jsg@
 with afl. Minimal example:  .Po Ao Pc Bo Pc Ac Bc

---
 mdoc_macro.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mdoc_macro.c b/mdoc_macro.c
index 4ab58182..212a5df2 100644
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -363,7 +363,7 @@ rew_dohalt(enum mdoct tok, enum mdoc_type type,
 	 * When starting to rewind, skip plain text
 	 * and nodes that have already been rewound.
 	 */
-	if (MDOC_TEXT == p->type || MDOC_VALID & p->flags)
+	if (p->type == MDOC_TEXT || p->flags & (MDOC_VALID | MDOC_BREAK))
 		return(REWIND_MORE);
 
 	/*
@@ -746,7 +746,7 @@ blk_exp_close(MACRO_PROT_ARGS)
 	atok = rew_alt(tok);
 	body = endbody = later = NULL;
 	for (n = mdoc->last; n; n = n->parent) {
-		if (n->flags & MDOC_VALID)
+		if (n->flags & (MDOC_VALID | MDOC_BREAK))
 			continue;
 
 		/* Remember the start of our own body. */
-- 
cgit