When the head of a list item is extended with a partial explicit

macro (for example .Xo) and never closed again, the item ends up
without a body block.  This can even happen for list types that
usually don't have heads in the first place.  So even in this
case, check for the existence of the body before accessing it.
NULL pointer access found by jsg@ with afl.

diff --git a/mdoc_validate.c b/mdoc_validate.c
index 7990ffe93853639c8cf09a718cd9454299c81256..01b2f1b7e70ef1e06f2fc4691bfc0504bbe8a615 100644 (file)
--- a/mdoc_validate.c
+++ b/mdoc_validate.c
@@ -1,4 +1,4 @@
-/*     $Id: mdoc_validate.c,v 1.263 2014/11/30 05:29:00 schwarze Exp $ */
+/*     $Id: mdoc_validate.c,v 1.264 2014/12/18 19:23:41 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -1197,7 +1197,7 @@ post_it(POST_ARGS)
        struct mdoc_node *nbl, *nit, *nch;
 
        nit = mdoc->last;
-       if (MDOC_BLOCK != nit->type)
+       if (nit->type != MDOC_BLOCK)
                return;
 
        nbl = nit->parent->parent;
@@ -1213,7 +1213,7 @@ post_it(POST_ARGS)
        case LIST_inset:
                /* FALLTHROUGH */
        case LIST_diag:
-               if (NULL == nit->head->child)
+               if (nit->head->child == NULL)
                        mandoc_vmsg(MANDOCERR_IT_NOHEAD,
                            mdoc->parse, nit->line, nit->pos,
                            "Bl -%s It",
@@ -1226,14 +1226,14 @@ post_it(POST_ARGS)
        case LIST_enum:
                /* FALLTHROUGH */
        case LIST_hyphen:
-               if (NULL == nit->body->child)
+               if (nit->body == NULL || nit->body->child == NULL)
                        mandoc_vmsg(MANDOCERR_IT_NOBODY,
                            mdoc->parse, nit->line, nit->pos,
                            "Bl -%s It",
                            mdoc_argnames[nbl->args->argv[0].arg]);
                /* FALLTHROUGH */
        case LIST_item:
-               if (NULL != nit->head->child)
+               if (nit->head->child != NULL)
                        mandoc_vmsg(MANDOCERR_ARG_SKIP,
                            mdoc->parse, nit->line, nit->pos,
                            "It %s", nit->head->child->string);
@@ -1241,10 +1241,10 @@ post_it(POST_ARGS)
        case LIST_column:
                cols = (int)nbl->norm->Bl.ncols;
 
-               assert(NULL == nit->head->child);
+               assert(nit->head->child == NULL);
 
                for (i = 0, nch = nit->child; nch; nch = nch->next)
-                       if (MDOC_BODY == nch->type)
+                       if (nch->type == MDOC_BODY)
                                i++;
 
                if (i < cols || i > cols + 1)