From 69f54c346ec87b3899a95b224628d8df313bbc85 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Wed, 11 Feb 2015 14:15:12 +0000
Subject: do not access a NULL pointer if an .Eo block lacks a tail; found by
 jsg@ with afl, test case #16

---
 mdoc_html.c | 7 +++----
 mdoc_man.c  | 7 +++----
 mdoc_term.c | 7 +++----
 3 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/mdoc_html.c b/mdoc_html.c
index 88037fad..1ab344fc 100644
--- a/mdoc_html.c
+++ b/mdoc_html.c
@@ -1,4 +1,4 @@
-/*	$Id: mdoc_html.c,v 1.223 2015/02/05 01:46:56 schwarze Exp $ */
+/*	$Id: mdoc_html.c,v 1.224 2015/02/11 14:15:12 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2011, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014, 2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -2220,9 +2220,8 @@ mdoc_eo_pre(MDOC_ARGS)
 	    n->child->end != ENDBODY_NOT)
 		print_text(h, "\\&");
 	else if (n->end != ENDBODY_NOT ? n->child != NULL :
-	    n->parent->head->child != NULL &&
-	    (n->parent->body->child != NULL ||
-	     n->parent->tail->child != NULL))
+	    n->parent->head->child != NULL && (n->child != NULL ||
+	    (n->parent->tail != NULL && n->parent->tail->child != NULL)))
 		h->flags |= HTML_NOSPACE;
 	return(1);
 }
diff --git a/mdoc_man.c b/mdoc_man.c
index eee1e3a7..966ffa8c 100644
--- a/mdoc_man.c
+++ b/mdoc_man.c
@@ -1,4 +1,4 @@
-/*	$Id: mdoc_man.c,v 1.85 2015/02/06 03:38:45 schwarze Exp $ */
+/*	$Id: mdoc_man.c,v 1.86 2015/02/11 14:15:12 schwarze Exp $ */
 /*
  * Copyright (c) 2011-2015 Ingo Schwarze <schwarze@openbsd.org>
  *
@@ -1140,9 +1140,8 @@ pre_eo(DECL_ARGS)
 	    n->child->end != ENDBODY_NOT)
 		print_word("\\&");
 	else if (n->end != ENDBODY_NOT ? n->child != NULL :
-	    n->parent->head->child != NULL &&
-	    (n->parent->body->child != NULL ||
-	     n->parent->tail->child != NULL))
+	    n->parent->head->child != NULL && (n->child != NULL ||
+	    (n->parent->tail != NULL && n->parent->tail->child != NULL)))
 		outflags &= ~(MMAN_spc | MMAN_nl);
 	return(1);
 }
diff --git a/mdoc_term.c b/mdoc_term.c
index 1c37b203..c374c983 100644
--- a/mdoc_term.c
+++ b/mdoc_term.c
@@ -1,4 +1,4 @@
-/*	$Id: mdoc_term.c,v 1.308 2015/02/05 01:46:56 schwarze Exp $ */
+/*	$Id: mdoc_term.c,v 1.309 2015/02/11 14:15:12 schwarze Exp $ */
 /*
  * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010, 2012-2015 Ingo Schwarze <schwarze@openbsd.org>
@@ -1989,9 +1989,8 @@ termp_eo_pre(DECL_ARGS)
 	    n->child->end != ENDBODY_NOT)
 		term_word(p, "\\&");
 	else if (n->end != ENDBODY_NOT ? n->child != NULL :
-	     n->parent->head->child != NULL &&
-	     (n->parent->body->child != NULL ||
-	      n->parent->tail->child != NULL))
+	     n->parent->head->child != NULL && (n->child != NULL ||
+	     (n->parent->tail != NULL && n->parent->tail->child != NULL)))
 		p->flags |= TERMP_NOSPACE;
 
 	return(1);
-- 
cgit v1.2.3