From ad7c0d85e2a07c807e1918e9be540ffa6c5fc5de Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Fri, 28 Nov 2014 16:02:52 +0000 Subject: [PATCH] Be more careful about meta->name. For weird input, it can be NULL. Fixing a NULL access jsg@ found with afl. --- mdoc_term.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/mdoc_term.c b/mdoc_term.c index 9a73631a..97a64ade 100644 --- a/mdoc_term.c +++ b/mdoc_term.c @@ -1,4 +1,4 @@ -/* $Id: mdoc_term.c,v 1.295 2014/11/27 22:27:56 schwarze Exp $ */ +/* $Id: mdoc_term.c,v 1.296 2014/11/28 16:02:52 schwarze Exp $ */ /* * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons * Copyright (c) 2010, 2012, 2013, 2014 Ingo Schwarze @@ -995,6 +995,7 @@ termp_it_post(DECL_ARGS) static int termp_nm_pre(DECL_ARGS) { + const char *cp; if (MDOC_BLOCK == n->type) { p->flags |= TERMP_PREKEEP; @@ -1005,12 +1006,15 @@ termp_nm_pre(DECL_ARGS) if (NULL == n->child) return(0); p->flags |= TERMP_NOSPACE; - p->offset += term_len(p, 1) + - (NULL == n->prev->child ? - term_strlen(p, meta->name) : - MDOC_TEXT == n->prev->child->type ? - term_strlen(p, n->prev->child->string) : - term_len(p, 5)); + cp = NULL; + if (n->prev->child != NULL) + cp = n->prev->child->string; + if (cp == NULL) + cp = meta->name; + if (cp == NULL) + p->offset += term_len(p, 6); + else + p->offset += term_len(p, 1) + term_strlen(p, cp); return(1); } -- 2.47.1