From fa0509ac63ac6d0a43a709893722ed6ca5f80611 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Fri, 30 Jan 2015 17:32:16 +0000
Subject: Delete the redundant tbl span flags, just inspect the actual data
 where needed, which is less fragile. This fixes a subtle NULL pointer access
 to tp->tbl.cols: Due to a bug in the man(7) parser, the first span of a table
 can end up in a .TP head, in which case tblcalc() was never called. Found by
 jsg@ with afl.

---
 man_term.c | 2 +-
 mandoc.h   | 3 ---
 tbl.c      | 4 ----
 tbl_data.c | 1 -
 tbl_html.c | 4 ++--
 tbl_term.c | 4 ++--
 6 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/man_term.c b/man_term.c
index 28d2a10f..764ad016 100644
--- a/man_term.c
+++ b/man_term.c
@@ -949,7 +949,7 @@ print_man_node(DECL_ARGS)
 		 * Tables are preceded by a newline.  Then process a
 		 * table line, which will cause line termination,
 		 */
-		if (TBL_SPAN_FIRST & n->span->flags)
+		if (n->span->prev == NULL)
 			term_newln(p);
 		term_tbl(p, n->span);
 		return;
diff --git a/mandoc.h b/mandoc.h
index 2267f1d8..4cb653b4 100644
--- a/mandoc.h
+++ b/mandoc.h
@@ -285,9 +285,6 @@ struct	tbl_span {
 	struct tbl_span	 *prev;
 	struct tbl_span	 *next;
 	int		  line; /* parse line */
-	int		  flags;
-#define	TBL_SPAN_FIRST	 (1 << 0)
-#define	TBL_SPAN_LAST	 (1 << 1)
 	enum tbl_spant	  pos;
 };
 
diff --git a/tbl.c b/tbl.c
index 1a9f01a5..bb301783 100644
--- a/tbl.c
+++ b/tbl.c
@@ -179,9 +179,5 @@ tbl_end(struct tbl_node **tblp)
 		    tbl->line, tbl->pos, NULL);
 		return(0);
 	}
-
-	if (tbl->last_span != NULL)
-		tbl->last_span->flags |= TBL_SPAN_LAST;
-
 	return(1);
 }
diff --git a/tbl_data.c b/tbl_data.c
index 697b9073..b9a57622 100644
--- a/tbl_data.c
+++ b/tbl_data.c
@@ -173,7 +173,6 @@ newspan(struct tbl_node *tbl, int line, struct tbl_row *rp)
 	if (dp->prev == NULL) {
 		tbl->first_span = dp;
 		tbl->current_span = NULL;
-		dp->flags |= TBL_SPAN_FIRST;
 	} else
 		dp->prev->next = dp;
 	tbl->last_span = dp;
diff --git a/tbl_html.c b/tbl_html.c
index 617ade75..2fbbbf89 100644
--- a/tbl_html.c
+++ b/tbl_html.c
@@ -54,7 +54,7 @@ html_tblopen(struct html *h, const struct tbl_span *sp)
 	struct roffcol	*col;
 	int		 ic;
 
-	if (sp->flags & TBL_SPAN_FIRST) {
+	if (h->tbl.cols == NULL) {
 		h->tbl.len = html_tbl_len;
 		h->tbl.slen = html_tbl_strlen;
 		tblcalc(&h->tbl, sp, 0);
@@ -132,7 +132,7 @@ print_tbl(struct html *h, const struct tbl_span *sp)
 
 	h->flags &= ~HTML_NONOSPACE;
 
-	if (sp->flags & TBL_SPAN_LAST) {
+	if (sp->next == NULL) {
 		assert(h->tbl.cols);
 		free(h->tbl.cols);
 		h->tbl.cols = NULL;
diff --git a/tbl_term.c b/tbl_term.c
index 8e42fe38..b96804c9 100644
--- a/tbl_term.c
+++ b/tbl_term.c
@@ -81,7 +81,7 @@ term_tbl(struct termp *tp, const struct tbl_span *sp)
 	 * calculate the table widths and decimal positions.
 	 */
 
-	if (sp->flags & TBL_SPAN_FIRST) {
+	if (tp->tbl.cols == NULL) {
 		term_flushln(tp);
 
 		tp->tbl.len = term_tbl_len;
@@ -189,7 +189,7 @@ term_tbl(struct termp *tp, const struct tbl_span *sp)
 	 * existing table configuration and set it to NULL.
 	 */
 
-	if (sp->flags & TBL_SPAN_LAST) {
+	if (sp->next == NULL) {
 		if (sp->opts->opts & (TBL_OPT_DBOX | TBL_OPT_BOX)) {
 			tbl_hrule(tp, sp, 1);
 			tp->skipvsp = 1;
-- 
cgit