Avoid a use after free when the target node is deleted during validation.

Bug reported by jsg@.

diff --git a/mdoc_macro.c b/mdoc_macro.c
index 8322cca523b59ca0b73a5728d2aa87f80147e5a5..8a81165238c844da5dd06972f7f64bde86244c88 100644 (file)
--- a/mdoc_macro.c
+++ b/mdoc_macro.c
@@ -1,4 +1,4 @@
-/*     $Id: mdoc_macro.c,v 1.193 2015/04/19 14:57:38 schwarze Exp $ */
+/*     $Id: mdoc_macro.c,v 1.194 2015/04/21 16:14:25 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -291,18 +291,21 @@ rew_pending(struct roff_man *mdoc, const struct roff_node *n)
        for (;;) {
                rew_last(mdoc, n);
 
-               switch (n->type) {
-               case ROFFT_HEAD:
-                       roff_body_alloc(mdoc, n->line, n->pos, n->tok);
-                       return;
-               case ROFFT_BLOCK:
-                       break;
-               default:
-                       return;
-               }
-
-               if ( ! (n->flags & MDOC_BROKEN))
-                       return;
+               if (mdoc->last == n) {
+                       switch (n->type) {
+                       case ROFFT_HEAD:
+                               roff_body_alloc(mdoc, n->line, n->pos,
+                                   n->tok);
+                               return;
+                       case ROFFT_BLOCK:
+                               break;
+                       default:
+                               return;
+                       }
+                       if ( ! (n->flags & MDOC_BROKEN))
+                               return;
+               } else
+                       n = mdoc->last;
 
                for (;;) {
                        if ((n = n->parent) == NULL)